### Weaver E-cology RCE Vulnerability Actively Exploited A critical security vulnerability in **Weaver** (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild. The vulnerability (**CVE-2026-22679**, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting **Weaver** E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/dubboApi/debug/method" endpoint that allows an attacker to execute arbitrary commands by invoking exposed debug functionality. According to the **NIST** National Vulnerability Database (NVD), "Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system." ### Early Exploitation and Threat Actor Activity The **Shadowserver Foundation** observed the first signs of active exploitation on March 31, 2026. A similar alert published by **QiAnXin** on March 17, 2026, revealed that the Chinese security vendor was able to successfully reproduce the remote code execution vulnerability. However, the **Vega Research Team** identified active exploitation of **CVE-2026-22679** much earlier, with the earliest evidence of abuse dating back to March 17, 2026, five days after patches were released. Security researcher Daniel Messing stated, "The intrusion unfolded over roughly a week of operator activity: RCE verification, three failed payload drops, an attempted pivot to an MSI implant that did not produce a working install, and a short burst of attempts to retrieve PowerShell payloads from attacker-controlled infrastructure." ### MSI Installer and Discovery Commands The MSI installer, according to the Israeli cybersecurity company, used the name "fanwei0324.msi," indicating an attempt to pass off the malicious payload as harmless by using the romanized Chinese name for **Weaver**. The threat actor has also been observed running discovery commands, such as `whoami`, `ipconfig`, and `tasklist`, throughout the campaign. ### Detection and Mitigation Security researcher Kerem Oruc has made available a Python-based detection script that identifies vulnerable **Weaver** E-cology instances by checking if the susceptible API endpoint is accessible. Users are advised to apply the updates to stay protected.