CVE-2026-22679: Critical Weaver E-cology RCE Under Active Attack Since March

An exposed debug endpoint in Weaver E-cology 10.0 allows unauthenticated remote code execution. Attacks have been detected since March 17, 2026; build 20260312…

CVE-2026-22679: Critical Weaver E-cology RCE Under Active Attack Since March

On May 5, 2026, the Vega Research Team disclosed details of an active attack campaign targeting Weaver E-cology 10.0 installations that has been underway since March 2026. The vulnerability, tracked as CVE-2026-22679 with a critical CVSS score of 9.8, exploits a Dubbo debug endpoint accessible without authentication to achieve remote code execution (RCE). Organizations that have not yet deployed build 20260312, released on March 12, 2026, remain exposed to full system compromise.

Key Takeaways
  • The /papi/esearch/data/devops/dubboApi/debug/method endpoint in Weaver E-cology 10.0 allows unauthenticated remote command execution.
  • The Shadowserver Foundation detected the first signs of active exploitation on March 31, 2026, while the Vega Research Team found evidence of abuse as early as March 17, 2026.
  • Attackers attempted to deploy an MSI implant named fanwei0324.msi and various PowerShell payloads; in observed cases, endpoint defenses successfully blocked execution.
  • The vendor released build 20260312 on March 12, 2026, which physically removes the vulnerable debug endpoint.

The Exposed Dubbo Endpoint: Attack Chain Analysis

The flaw resides in a debug endpoint associated with the Dubbo framework, located at /papi/esearch/data/devops/dubboApi/debug/method. In Weaver E-cology 10.0 versions prior to build 20260312, this URL responds to POST requests without requiring authentication. According to the National Vulnerability Database description cited by The Hacker News,

"Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system"— NIST National Vulnerability Database, via The Hacker News

By controlling these parameters, external actors can directly reach internal command execution helpers, effectively turning a simple API call into a system shell. The severity is maximum: with a CVSS score of 9.8, the flaw allows an unauthenticated attacker to seize host control. This is not a complex exploit chain but rather a backdoor-like entry point left open in production environments that directly exposes remote execution logic.

Intrusion Timeline: From Mid-March to Payload Deployment

Initial traces of malicious activity emerged in a window between mid and late March. The Vega Research Team identified evidence of abuse as early as March 17, 2026, though they noted it is impossible to rule out that this specific date corresponds to a proof-of-concept reproduction rather than a targeted attack. For its part, the Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026.

According to reports from The Hacker News citing Daniel Messing of the Vega Research Team, "The intrusion unfolded over roughly a week of operator activity: RCE verification, three failed payload drops, an attempted pivot to an MSI implant that did not produce a working install, and a short burst of attempts to retrieve PowerShell payloads from attacker-controlled infrastructure." During this phase, operators executed standard reconnaissance commands such as whoami, ipconfig, and tasklist to verify their remote execution capabilities.

MSI Implants and PowerShell: Why the Payloads Failed

Despite gaining initial access, the observed campaign failed to achieve persistent compromise on monitored systems. Attackers attempted to install an MSI file named fanwei0324.msi—utilizing a romanized version of the vendor's name—but the operation failed to produce a working installation. Simultaneously, threat actors attempted to download PowerShell payloads from attacker-controlled infrastructure.

The Vega Research Team, as reported by Hendry Adrian’s blog, clarified that "Endpoint defenses blocked downloads and execution, and attackers never established a persistent session on the targeted hosts." However, a significant visibility gap remains: it is unknown whether the MSI implant was successful on targets outside the team's monitoring scope. The identity of the responsible threat group remains unknown, and there are currently no global estimates on the total number of victims.

Remediation and Defensive Actions

Given the unauthenticated nature of the vulnerability and confirmed active exploitation, patching is a critical priority. Security teams and system administrators should take the following four actions:

  1. Immediately update to Weaver E-cology 10.0 build 20260312 or higher. The vendor released this version on March 12, 2026, specifically to remove the vulnerable debug endpoint.
  2. Verify the exposure of the /papi/esearch/data/devops/dubboApi/debug/method endpoint. If reachable from the internal network or the public internet, it must be isolated or disabled until the patch is applied.
  3. Analyze web application and proxy logs for suspicious POST requests targeting paths containing dubboApi/debug/method, with a focus on anomalous interfaceName and methodName parameters.
  4. Utilize the Python script published by researcher Kerem Oruc to identify vulnerable instances within your infrastructure.

The Enterprise Risk of Production Debug Endpoints

The persistence of development and debug endpoints in critical enterprise environments represents a frequently underestimated risk class. In the case of Weaver E-cology 10.0, a single Dubbo debug API was enough to grant arbitrary command execution without any authentication barriers. In this scenario, the difference between a development build and a secure release was a single forgotten HTTP route.

For the industry, this incident confirms that removing diagnostic tools before production release is not a secondary best practice but a fundamental security requirement. The consequences are stark: companies managing sensitive workflows on ERP platforms found themselves exposed for weeks to total compromise, with only a single HTTP request separating an external attacker from a system shell.

CVE-2026-22679 demonstrates that the most dangerous attack surface is often not a sophisticated zero-day, but a configuration residue left active for convenience. The speed with which attackers converted the discovery of the flaw into implant attempts—even if those attempts failed in known cases—signals real operational interest. For those administering enterprise platforms, the lesson is clear: auditing for exposed debug endpoints must be integrated into pre-release checks with the same rigor applied to patch management.

Frequently Asked Questions

Does this vulnerability only affect Weaver E-cology 10.0?

According to available sources, the CPE associated with CVE-2026-22679 specifically identifies Weaver E-cology 10.0 versions prior to build 20260312. There is currently no official confirmation that the issue extends to other major releases.

Can the threat be mitigated manually without the patch?

Restricting access to the /papi/esearch/data/devops/dubboApi/debug/method endpoint and blocking unauthenticated POST requests to that route reduces the attack surface. However, build 20260312 remains the only definitive countermeasure documented by the vendor.

Was the activity observed on March 17, 2026, a live attack?

The Vega Research Team found evidence of abuse on that date, but they cannot definitively rule out that it was a reproduction of a proof-of-concept rather than the start of a targeted campaign.

Information has been verified against the cited sources and is current as of the time of publication.

Sources