A important safety vulnerability in Weaver (Fanwei) E-cology, an enterprise workplace automation (OA) and collaboration platform, has come underneath energetic exploitation within the wild.
The vulnerability (CVE-2026-22679, CVSS rating: 9.8) pertains to a case of unauthenticated distant code execution affecting Weaver E-cology 10.0 variations previous to 20260312. The difficulty resides within the “/papi/esearch/information/devops/dubboApi/debug/methodology” endpoint that enables an attacker to execute arbitrary instructions by invoking uncovered debug performance.
“Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to achieve command-execution helpers and obtain arbitrary command execution on the system,” in accordance with an outline of the flaw within the NIST Nationwide Vulnerability Database (NVD).
The advisory additionally famous that the Shadowserver Basis noticed the primary indicators of energetic exploitation on March 31, 2026. Chinese language safety vendor QiAnXin mentioned it was in a position to efficiently reproduce the distant code execution vulnerability in its personal alert launched on March 17, 2026.
Nonetheless, in a report revealed final week, the Vega Analysis Crew mentioned it recognized energetic exploitation of CVE-2026-22679, with the earliest proof of abuse relationship again to March 17, 2026, 5 days after patches have been shipped for the flaw.
“The intrusion unfolded over roughly every week of operator exercise: RCE verification, three failed payload drops, an tried pivot to an MSI implant that didn’t produce a working set up, and a brief burst of makes an attempt to retrieve PowerShell payloads from attacker-controlled infrastructure,” safety researcher Daniel Messing mentioned.
The MSI installer, per the Israeli cybersecurity firm, used the identify “fanwei0324.msi,” indicating an try to go off the malicious payload as innocent by utilizing the romanized Chinese language identify for Weaver. The unknown risk actor has additionally been noticed working discovery instructions, equivalent to whoami, ipconfig, and tasklist, all through the marketing campaign.
Safety researcher Kerem Oruc has made out there a Python-based detection script that identifies susceptible Weaver E-cology cases by checking if the vulnerable API endpoint is accessible. Customers are suggested to use the updates, if not already, to remain protected.
