Vulnerability Overview
A critical unauthenticated remote code execution vulnerability is being actively exploited in Weaver E-cology, a widely deployed enterprise collaboration and office automation platform. Tracked as CVE-2026-22679 with a CVSS score of 9.8, the flaw allows attackers to execute arbitrary operating system commands on vulnerable servers without any authentication.
The vulnerability resides in an exposed debug endpoint that is part of the Dubbo RPC framework integration. Attackers can craft HTTP POST requests with attacker-controlled parameters that are passed directly into internal method invocation logic without validation, ultimately reaching OS command execution helpers within the application's Java Virtual Machine running under Tomcat.
The Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026. Chinese security vendor QiAnXin independently confirmed successful reproduction of the vulnerability on March 17, 2026. The Vega Research Team published a detailed report documenting a confirmed intrusion campaign that began as early as March 17, 2026 — just five days after patches were shipped.
Technical Details
The vulnerability exists in the exposed Dubbo RPC debug endpoint at /papi/esearch/data/devops/dubboApi/debug/method. This endpoint is designed for internal development and debugging purposes but was left accessible without authentication in production deployments of E-cology 10.0. The endpoint accepts HTTP POST requests containing JSON parameters including "interfaceName" and "methodName" fields.
These user-supplied inputs are passed directly into the Dubbo RPC framework's method invocation logic without sanitization or authorization checks. An attacker can specify crafted values for these parameters to invoke internal Java methods that ultimately reach OS command execution helpers within the application's JVM. Because the application runs under Tomcat, successful exploitation grants command execution with the privileges of the Tomcat service account.
The vendor addressed the vulnerability on March 12, 2026, by removing the vulnerable debug endpoint entirely from production builds. Public proof-of-concept exploits are available, and detection scripts for both Python and Nmap have been published on GitHub.
The Vega Research Team documented a confirmed multi-phase intrusion campaign exploiting CVE-2026-22679. The attack targeted an internet-facing Windows server running an unpatched E-cology instance. All malicious activity originated from java.exe, confirming the RCE vulnerability as the entry point. The campaign included RCE verification via ping callbacks, three failed payload delivery attempts using PowerShell, an MSI implant disguised as "fanwei0324.msi" (using the romanized Chinese name for Weaver), and discovery commands including whoami, ipconfig, and tasklist.
Affected Versions
The vulnerability affects all Weaver E-cology 10.0 builds released prior to March 12, 2026. The vendor has not released comprehensive information about whether earlier major versions (9.x and below) are also affected. Organizations should verify their specific deployment with the vendor.
| Product | Affected Builds | Fixed Build | Status |
|---|---|---|---|
| E-cology 10.0 | All builds < 20260312 | 20260312 |
Patched |
| E-cology 9.x and earlier | Unknown | — | Check with Vendor |
Recommendations
- Update E-cology to build 20260312 or later immediately. This update removes the vulnerable debug endpoint entirely. Contact Weaver support if you are unable to locate the update through standard channels.
- Block access to the vulnerable endpoint. As an interim measure, configure your web application firewall or reverse proxy to deny all requests to the path /papi/esearch/data/devops/dubboApi/debug/method.
- Audit for indicators of compromise. Review process execution logs for suspicious child processes spawned by java.exe, particularly whoami, ipconfig, tasklist, powershell.exe, and msiexec.exe. Check for connections to external infrastructure or the presence of unfamiliar MSI packages.
- Restrict internet exposure. Weaver E-cology instances should not be directly accessible from the public internet without authentication and network-level access controls. Place them behind a VPN or Zero Trust access gateway.
- Run detection scans. Use the publicly available CVE-2026-22679 detection scanner to identify vulnerable instances in your environment. The tool performs safe, non-destructive endpoint checks.
Context
Weaver E-cology is one of the most widely deployed enterprise OA (Office Automation) platforms in China, used across government agencies, financial institutions, manufacturing firms, and large enterprises for workflow management, document collaboration, and internal communications. The platform's broad adoption makes it a high-value target for threat actors, particularly those operating in or targeting the Chinese enterprise ecosystem.
The speed of exploitation — just five days after the patch release — underscores the importance of rapid patch adoption for internet-facing enterprise applications. The confirmed intrusion campaign demonstrated a methodical attack sequence including initial verification, multiple payload delivery attempts, and lateral movement preparation, suggesting an organized threat actor rather than opportunistic scanning.
