A significant security flaw in Weaver’s E-cology platform, known for enabling office automation and team collaboration, is currently being actively leveraged by cyber attackers. This vulnerability, identified as CVE-2026-22679 with a CVSS score of 9.8, permits unauthenticated remote code execution in versions of Weaver E-cology 10.0 released before March 12, 2026. The flaw is linked to the “/papi/esearch/data/devops/dubboApi/debug/method” endpoint, which attackers exploit to run arbitrary commands by manipulating debug functionalities.
Understanding the Exploitation
According to the National Vulnerability Database (NVD), attackers can send specially crafted POST requests with tailored interfaceName and methodName parameters to trigger command execution helpers, leading to arbitrary command execution on targeted systems. The Shadowserver Foundation first detected active exploitation on March 31, 2026. Meanwhile, QiAnXin, a security firm in China, confirmed the vulnerability’s exploitability through successful reproduction in their report dated March 17, 2026.
Timeline of the Threat
New insights from the Vega Research Team have uncovered that exploitation of CVE-2026-22679 was underway as early as March 17, 2026, shortly after patches were issued. The attack sequence involved a week of intensive operator activities, including verification of remote code execution, multiple failed attempts to drop payloads, an unsuccessful transition to an MSI implant, and attempts to retrieve PowerShell scripts from attacker-controlled servers. Security expert Daniel Messing outlined these activities in a recent analysis.
Indicators of Compromise and Mitigation
The malicious campaign involved using an MSI installer named “fanwei0324.msi,” suggesting an attempt to disguise the payload using a romanized version of Weaver’s name. The threat actor was also seen executing system discovery commands like whoami, ipconfig, and tasklist to gather information. To aid in detection, security researcher Kerem Oruc developed a Python script to identify vulnerable Weaver E-cology systems by checking the accessibility of the susceptible API endpoint. Users are strongly urged to implement the latest updates to fortify their defenses against this ongoing threat.
As cyber threats evolve, staying informed and proactive in applying security patches is crucial to safeguarding enterprise systems. The ongoing exploitation of the Weaver E-cology vulnerability underscores the importance of timely updates and vigilant monitoring of enterprise security landscapes.
