A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild.
The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the “/papi/esearch/data/devops/dubboApi/debug/method” endpoint that allows an attacker to execute arbitrary commands by invoking exposed debug functionality.
“Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system,” according to a description of the flaw in the NIST National Vulnerability Database (NVD).
The advisory also noted that the Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026. Chinese security vendor QiAnXin said it was able to successfully reproduce the remote code execution vulnerability in its own alert released on March 17, 2026.
However, in a report published last week, the Vega Research Team said it identified active exploitation of CVE-2026-22679, with the earliest evidence of abuse dating back to March 17, 2026, five days after patches were shipped for the flaw.
“The intrusion unfolded over roughly a week of operator activity: RCE verification, three failed payload drops, an attempted pivot to an MSI implant that did not produce a working install, and a short burst of attempts to retrieve PowerShell payloads from attacker-controlled infrastructure,” security researcher Daniel Messing said.
The MSI installer, per the Israeli cybersecurity company, used the name “fanwei0324.msi,” indicating an attempt to pass off the malicious payload as harmless by using the romanized Chinese name for Weaver. The unknown threat actor has also been observed running discovery commands, such as whoami, ipconfig, and tasklist, throughout the campaign.
Security researcher Kerem Oruc has made available a Python-based detection script that identifies vulnerable Weaver E-cology instances by checking if the susceptible API endpoint is accessible. Users are advised to apply the updates, if not already, to stay protected.
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
