Weaver E-cology 10.0 N-Day RCE: Unauthenticated Exploitation via Debug API (CVE-2026-22679)

CVE-2026-22679 enables unauthenticated RCE in Weaver E-cology 10.0 via the Dubbo debug endpoint. In-the-wild attacks began March 17, 2026, following a patch re…

Information has been verified against cited sources and is current as of the time of publication.

Just five days after Weaver E-cology 10.0 released a critical patch on March 12, 2026, threat actors began targeting the platform's Dubbo debug endpoint. The Vega Research Team has confirmed in-the-wild exploitation starting March 17, 2026, leveraging vulnerability CVE-2026-22679 to achieve unauthenticated remote code execution (RCE). The narrow window between the fix and active abuse underscores a persistent enterprise risk: internal administration endpoints exposed to the public internet frequently transform N-day vulnerabilities into zero-day-speed weapons.

Key Takeaways

CVE-2026-22679 is an unauthenticated RCE vulnerability in Weaver (Fanwei) E-cology 10.0, carrying a CVSS score of 9.8.
The flaw resides in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, which is accessible without authentication.
A patch was released by the vendor on March 12, 2026 (build 20260312); active exploitation began five days later on March 17.
Observed attack campaigns include RCE verification via ping.exe, PowerShell payload delivery attempts, and the deployment of an MSI package named fanwei0324.msi.
Security researcher Kerem Oruc has released a Python detection script to help organizations identify vulnerable instances.

Technical Analysis: CVE-2026-22679

CVE-2026-22679 affects the Weaver (Fanwei) E-cology 10.0 enterprise platform. The National Vulnerability Database (NVD) classifies the flaw as unauthenticated Remote Code Execution with a CVSS severity rating of 9.8. All builds prior to version 20260312 are confirmed to be vulnerable.

The vulnerability is located at the /papi/esearch/data/devops/dubboApi/debug/method endpoint. This path is exposed without authentication, allowing remote attackers to send HTTP POST requests that interact directly with the underlying system.

According to NVD documentation reported by The Hacker News, attackers can manipulate the interfaceName and methodName parameters within a POST request to reach command-execution helpers, eventually gaining arbitrary code execution on the target server.

The vendor, Weaver, addressed the issue on March 12, 2026. The update effectively removes the debug endpoint in build 20260312 and later versions. Systems that remain unpatched are vulnerable to malicious POST requests targeting the aforementioned parameters.

The exposure of Dubbo debug endpoints in enterprise platforms like E-cology represents a dangerous and recurring pattern. Services intended strictly for internal administration often remain reachable from the internet, providing remote attackers an unauthenticated, high-privilege attack surface.

Confirmed In-the-Wild Exploitation

The Vega Research Team documented active exploitation beginning March 17, 2026, just five days after the vendor's patch. This rapid turnaround classifies the campaign as a high-velocity N-day attack.

QiAnXin successfully reproduced the vulnerability in an alert published on March 17, 2026, while the Shadowserver Foundation detected the first signs of active mass exploitation on March 31, 2026. Both organizations have confirmed that the flaw is being actively leveraged in the wild.

Daniel Messing of the Vega Research Team detailed a specific intrusion case, stating: “The intrusion unfolded over roughly a week of operator activity: RCE verification, three failed payload drops, an attempted pivot to an MSI implant that did not produce a working install, and a short burst of attempts to retrieve PowerShell payloads from attacker-controlled infrastructure.”

In the analyzed case, all malicious activity originated from the java.exe process on a target Windows server. The initial phase involved using ping.exe against the IP address 152.32.173[.]138 to verify RCE. Command output was returned in HTTP responses, confirming to the attacker that arbitrary code execution was successful.

Following verification, the actors attempted to download PowerShell payloads three times without success. They subsequently tried to deploy an MSI package named fanwei0324.msi—mimicking the vendor's name (Fanwei)—but the installation failed in the observed environment. Finally, a series of requests attempted to fetch PowerShell payloads from attacker-controlled infrastructure.

Indicators of Compromise and Technical Details

In addition to the MSI payload, the campaign utilized standard discovery commands, including whoami, ipconfig, and tasklist. The fanwei0324.msi file is associated with the SHA256 hash 147ac3f24b2b63544d65070007888195a98d30e380f2d480edffb3f07a78377f.

Current reporting does not specify if the MSI payload was successful in other environments. The identity of the threat actor and the total number of global victims remain undetermined at this time.

“Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system” — NVD, as reported by The Hacker News

Threat Intelligence and Visibility Gap

The two-week gap between Vega’s initial detection on March 17 and Shadowserver’s broader detection on March 31 illustrates the varying visibility intervals across threat intelligence sources. During this period, compromises were already occurring, visible only to teams with direct telemetry from the victims.

This "dark period" amplifies the risk for organizations relying solely on global intelligence feeds; a vulnerable system can remain under attack for days before indicators surface in public sources. QiAnXin’s confirmation of the flaw’s reproducibility on March 17 provided early, independent technical validation.

Researcher Kerem Oruc has released an open-source detection tool, allowing security teams to independently verify the presence of the vulnerability on their assets. Such tools reduce reliance on centralized intelligence cycles and shorten reaction times before global scanning data becomes available.

Mitigation and Response

Organizations running Weaver E-cology 10.0 must immediately verify that they have applied build 20260312 or later. It is critical to confirm that the /papi/esearch/data/devops/dubboApi/debug/method endpoint is no longer accessible from unauthorized networks.

Security operators should monitor application and network logs for anomalous POST requests directed at the Dubbo debug path. Defenders should specifically look for executions of ping.exe, whoami, ipconfig, and tasklist spawned by the java.exe process on Windows servers hosting E-cology 10.0.

Organizations should also scan for the presence of the fanwei0324.msi file or the SHA256 hash 147ac3f24b2b63544d65070007888195a98d30e380f2d480edffb3f07a78377f. Kerem Oruc’s tool can assist in the incident response phase to verify the security posture of E-cology 10.0 systems.

Furthermore, network exposure of the Dubbo debug endpoint should be restricted to necessary internal addresses only. Network segmentation remains a vital defense against unauthenticated external scanning and exploitation.

Verification should be extended to all nodes running builds prior to 20260312, including test and staging environments. Even systems not directly exposed to the internet are at risk of lateral movement from an attacker who has already established a foothold within the network.

The residual risk remains high: the five-day window between the patch and exploitation proves that enterprise defensive reaction times often lag behind the speed at which threat actors weaponize fixes. Without rapid patching and visibility into exposed debug endpoints, N-day vulnerabilities will continue to present exposure windows measured in hours, not weeks.