Critical Zero-Day: Unauthenticated RCE Exploited in Weaver E-cology 10.0

A critical security vulnerability, tracked as CVE-2026-22679, has been identified in Weaver (Fanwei) E-cology 10.0, one of the most widely used enterprise collaborative office platforms. With a CVSS score of 9.3, this zero-day allows unauthenticated attackers to achieve Remote Code Execution (RCE), potentially granting them full control over affected enterprise servers.

The Shadowserver Foundation first reported evidence of active exploitation in the wild on March 31, 2026.

The flaw resides in the /papi/esearch/data/devops/dubboApi/debug/method endpoint. In versions of Weaver E-cology 10.0 released prior to March 12, 2026, this endpoint leaves debug functionality exposed to the public internet without requiring any form of authentication.

Attackers can exploit this by crafting a specific POST request. By manipulating the interfaceName and methodName parameters, an external actor can “reach command-execution helpers and achieve arbitrary command execution on the system.” Essentially, the platform’s own developer tools are being turned into a backdoor for hackers to run malicious commands.

Weaver E-cology is a foundational piece of infrastructure for many large organizations, often handling sensitive internal communications, document management, and business workflows. An RCE vulnerability at this level of the stack is catastrophic, as it allows an attacker to:

• Exfiltrate Data: Access proprietary company secrets, employee records, and financial data.
• Deploy Ransomware: Lock down critical business systems across the entire corporate network.
• Establish Persistence: Create hidden accounts or install backdoors to maintain long-term access.

The fact that this exploit can be triggered unauthenticated means an attacker does not need a valid username or password to breach the system; they simply need to find an exposed instance of the software.

This vulnerability specifically impacts:

• Product: Weaver (Fanwei) E-cology 10.0
• Affected Versions: All versions released prior to 20260312.

Weaver has released security updates to close this critical gap. Organizations running E-cology 10.0 are urged to take the following actions immediately:

1. Update Promptly: Apply the security patch released on March 12, 2026, or upgrade to the latest stable version provided by the vendor.
2. Restrict Access: If immediate patching is not possible, place the Weaver E-cology instance behind a VPN or implement strict IP-based access controls to the /papi/ directory.
3. Hunt for Indicators of Compromise (IoC): Review web server logs for suspicious POST requests hitting the /papi/esearch/data/devops/dubboApi/debug/method endpoint, especially those originating from unrecognized external IP addresses.