Skip to content

Secure IT

Stay Secure. Stay Informed.

Primary Menu
  • Home
  • Sources
    • Krebs On Security
    • Security Week
    • The Hacker News
    • Schneier On Security
  • Home
  • The Hacker News
  • Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API
  • The Hacker News

Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API

[email protected] The Hacker News Published: May 5, 2026 | Updated: May 9, 2026 2 min read
0 views

Ravie LakshmananMay 05, 2026Vulnerability / Network Security

A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild.

The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the “/papi/esearch/data/devops/dubboApi/debug/method” endpoint that allows an attacker to execute arbitrary commands by invoking exposed debug functionality.

“Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system,” according to a description of the flaw in the NIST National Vulnerability Database (NVD).

The advisory also noted that the Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026. A similar alert published by QiAnXin on March 17, 2026, revealed that the Chinese security vendor was able to successfully reproduce the remote code execution vulnerability without sharing any further details.

However, in a report published last week, the Vega Research Team said it identified active exploitation of CVE-2026-22679 much before, with the earliest evidence of abuse dating back to March 17, 2026, five days after patches were shipped for the flaw.

“The intrusion unfolded over roughly a week of operator activity: RCE verification, three failed payload drops, an attempted pivot to an MSI implant that did not produce a working install, and a short burst of attempts to retrieve PowerShell payloads from attacker-controlled infrastructure,” security researcher Daniel Messing said.

The MSI installer, per the Israeli cybersecurity company, used the name “fanwei0324.msi,” indicating an attempt to pass off the malicious payload as harmless by using the romanized Chinese name for Weaver. The unknown threat actor has also been observed running discovery commands, such as whoami, ipconfig, and tasklist, throughout the campaign.

Security researcher Kerem Oruc has made available a Python-based detection script that identifies vulnerable Weaver E-cology instances by checking if the susceptible API endpoint is accessible. Users are advised to apply the updates, if not already, to stay protected.

About The Author

[email protected] The Hacker News

See author's posts

Original post here

What do you feel about this?

  • The Hacker News

Post navigation

Previous: Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries
Next: ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows

Author's Other Posts

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now cpanel-3.jpg

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

May 9, 2026 0 1
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms banking.jpg

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

May 9, 2026 0 0
Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads android-calls.jpg

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

May 9, 2026 0 0
One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches zz-webinar.jpg

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

May 9, 2026 0 1

Related Stories

cpanel-3.jpg
  • The Hacker News

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

[email protected] The Hacker News May 9, 2026 0 1
banking.jpg
  • The Hacker News

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

[email protected] The Hacker News May 9, 2026 0 0
android-calls.jpg
  • The Hacker News

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

[email protected] The Hacker News May 9, 2026 0 0
zz-webinar.jpg
  • The Hacker News

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

[email protected] The Hacker News May 9, 2026 0 1
kube.jpg
  • The Hacker News

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

[email protected] The Hacker News May 9, 2026 0 0
ai-soc.jpg
  • The Hacker News

One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk

[email protected] The Hacker News May 9, 2026 0 1

Trending Now

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0

Connect with Us

Social menu is not set. You need to create menu and assign it to Social Menu on Menu Settings.

Trending News

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0
Lawmakers Demand Answers as CISA Tries to Contain Data Leak Lawmakers Demand Answers as CISA Tries to Contain Data Leak 5
  • Uncategorized

Lawmakers Demand Answers as CISA Tries to Contain Data Leak

May 22, 2026 0 0
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada 6
  • Uncategorized

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada

May 21, 2026 0 0
CISA Admin Leaked AWS GovCloud Keys on Github CISA Admin Leaked AWS GovCloud Keys on Github 7
  • Uncategorized

CISA Admin Leaked AWS GovCloud Keys on Github

May 18, 2026 0 0

You may have missed

Who Runs the Ransomware Group ‘The Gentlemen?’
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

Sean June 10, 2026 0 0
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

Sean June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

Sean June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

Sean May 25, 2026 0 0
Copyright © 2026 All rights reserved. | MoreNews by AF themes.