A critical vulnerability in a popular enterprise office automation platform is being actively exploited. Attackers need no password. No username. No special privileges. Just a single carefully crafted POST request.
The Weaver E-cology unauthenticated RCE exploit tracked as CVE-2026-22679 carries a CVSS score of 9.8, making it critical. The flaw affects Weaver E-cology 10.0 versions prior to the patch released on March 12, 2026.
Active exploitation began almost immediately. Security researchers observed the first attacks just five days after the patch was shipped.
What Is Weaver E-cology?
Weaver E-cology is an enterprise office automation and collaboration platform widely used in China and across Asia. Weaver e-cology can be utilized for document management, workflow automation, human resource processes, and internal communication support by an organization.
An unauthenticated remote code execution vulnerability exists within the currently used verifiable system API on Weaver E-Cology. If your organization is currently using Weaver E-Cology, immediate action is required.
Vulnerable endpoint
The prevalent unauthenticated remote code execution vulnerability on the Weaver E-Cology includes an API endpoint (/papi/esearch/data/devops/dubboApi/debug/method) which provides through a debug-based interface. This is an area of functionality which should not be made available to unauthenticated users on Weaver E-Cology.
However, using the aforementioned unfulfilled vulnerability, unauthenticated users will exploit the Weaver E-Cologys' vulnerabilities by calling this endpoint structure without the credentials required to do so.
By utilizing a POST request with attacker-defined interfaceName and methodName parameters, the attacker will communicate with the command execution assistive functions which will facilitate arbitrary command execution on the target system.
This endpoint exposes debug functionality that should never be accessible to unauthenticated users. However, the Weaver E-cology unauthenticated RCE exploit allows attackers to call this endpoint without any credentials.
By crafting POST requests with attacker-controlled interfaceName and methodName parameters, an attacker can reach command-execution helpers and achieve arbitrary command execution on the target system.
The NIST National Vulnerability Database explains: "Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system."
Active Exploitation Timeline
The Weaver E-cology unauthenticated RCE exploit timeline shows how quickly attackers moved after the patch was released.
1. On March 12th, 2026, Weaver issues patches related to CVE-2026-19765
2. On March 17, 2026, earliest evidence of an ongoing exploit exists (Vega Research Team)
3. On March 17, 2026, Chinese security vendor QiAnXin demonstrates that they can reproduce the vulnerabilities
4. On March 31, 2026, the Shadowserver Foundation detects the first exploitable instance
The Weaver E-cology unauthenticated RCE exploit went from patch to active weapon in just five days. Attackers were ready before most administrators even knew the patch existed.
The Intrusion: A Week of Activity
The Vega Research Team published a detailed analysis of the Weaver E-cology unauthenticated RCE exploit activity. Their report describes an intrusion that unfolded over roughly one week of operator activity.
The attack sequence:
1. RCE verification – The attacker first confirmed the vulnerability worked
2. Three failed payload drops – Initial attempts to deploy malware failed
3. MSI implant attempt – The attacker tried to install a malicious MSI package
4. PowerShell retrieval attempts – Short burst of attempts to fetch PowerShell payloads from attacker-controlled infrastructure
The Weaver E-cology unauthenticated RCE exploit campaign used an MSI installer named fanwei0324.msi. The name is significant. "Fanwei" is the romanized Chinese name for Weaver. The attacker likely chose this name to make the malicious payload appear harmless or legitimate.
Post-Exploitation Activities
Once the Weaver E-cology unauthenticated RCE exploit gave the attacker a foothold, they ran standard discovery commands:
1. whoami – Identify the current user context
2. ipconfig – Map network configuration and IP addresses
3. tasklist – See what processes are running
These commands are classic post-exploitation reconnaissance. The Weaver E-cology unauthenticated RCE exploit gave the attacker a shell. The attacker used that shell to understand the environment before taking further action.
The MSI Implant Failure
Interestingly, the Weaver E-cology unauthenticated RCE exploit campaign's MSI implant "did not produce a working install." The attacker's attempts to deploy persistent malware failed at least initially.
However, the Vega Research Team noted that the Weaver E-cology unauthenticated RCE exploit allowed the attacker to continue probing. Failed payload drops do not mean the attack stopped. The attacker simply tried different approaches.
Detection and Scanning
Security researcher Kerem Oruc has released a Python-based detection script for the Weaver E-cology unauthenticated RCE exploit. The script checks whether the vulnerable API endpoint is accessible on a target system.
Administrators can use this script to:
1. Identify vulnerable Weaver E-cology instances
2. Verify if patching was successful
3. Check for exposed debug endpoints that should be blocked
The Weaver E-cology unauthenticated RCE exploit detection script is available for defensive use. No organization should run this script against systems they do not own.
Who Is at Risk?
The Weaver E-cology unauthenticated RCE exploit affects any organization running:
- Weaver E-cology 10.0
- Versions prior to the March 12, 2026 patch
Weaver E-cology is most common in China and across Asia. However, the Weaver E-cology unauthenticated RCE exploit could affect any global organization that uses this enterprise OA platform.
If you are unsure whether your organization uses Weaver E-cology, check with your IT department. The platform is often deployed for internal workflows, document management, and collaboration.
How to Protect Your Organization
The Weaver E-cology unauthenticated RCE exploit is actively being used in the wild. Here is what you need to do.
1. Apply the patch immediately. Weaver released patches on March 12, 2026. The Weaver E-cology unauthenticated RCE exploit is fixed in versions released after that date. If you have not patched, do so now.
2. Check if you have been compromised. Use the Python detection script to see if your vulnerable endpoint is accessible. The Weaver E-cology unauthenticated RCE exploit may have already been used against your systems.
3. Limit access to unsecured endpoints. If patches cannot be applied immediately, access to /papi/esearch/data/devops/dubboapi/debug/method should be denied until a patch can be applied. If the endpoint is inaccessible, Weaver e-cology unauthenticated rce exploits will not work.
4. Search for fanwei0324.msi; the Unauthenticated RCE Exploit campaign for Weaver e-Cology used this file as an installer for MSI. Please also check your systems for other unapproved MSI installers that use the exact same name.
5. Review logs for unusual POST requests. Look for POST requests to the dubboApi debug endpoint. The Weaver E-cology unauthenticated RCE exploit leaves HTTP traces. Any access to this endpoint from untrusted IP addresses is suspicious.
6. Run discovery command audits. The Weaver E-cology unauthenticated RCE exploit attackers ran whoami, ipconfig, and tasklist. Look for unexpected executions of these commands from the Weaver service context.
Patch Status
Weaver released patches for the Weaver E-cology unauthenticated RCE exploit on March 12, 2026. The patch versions include:
Weaver E-cology 10.0 builds after March 12, 2026
If your version predates the patch, you are vulnerable. The Weaver E-cology unauthenticated RCE exploit is fixed only in patched versions.
Chinese security vendor QiAnXin confirmed they were able to successfully reproduce the Weaver E-cology unauthenticated RCE exploit in their own testing environment. The vulnerability is real, confirmed, and actively exploited.
Final Thoughts
The Weaver E-cology unauthenticated RCE exploit (CVE-2026-22679) is a straightforward but devastating vulnerability. A single API endpoint with exposed debug functionality. No authentication required. Full system compromise.
Attackers found the Weaver E-cology unauthenticated RCE exploit within days of the patch release. They verified it worked. They dropped payloads. They ran discovery commands. They tried to install persistent malware.
The Weaver E-cology unauthenticated RCE exploit campaign is ongoing. If your organization uses Weaver E-cology, assume you are a target. Patch now. Check for compromise. And hope the attacker's MSI installer fails again.
FAQ Section
Q1: What versions of Weaver E-cology are affected by CVE-2026-22679?
The Weaver E-cology unauthenticated RCE exploit affects Weaver E-cology 10.0 versions prior to the March 12, 2026 patch. If your version was released before that date, you are vulnerable. Check with your vendor for the specific patched build numbers.
Q2: How do attackers exploit CVE-2026-22679?
Attackers send crafted POST requests to the /papi/esearch/data/devops/dubboApi/debug/method endpoint. The Weaver E-cology unauthenticated RCE exploit allows them to control interfaceName and methodName parameters to reach command-execution helpers, achieving arbitrary command execution on the system.
Q3: Was the Weaver E-cology unauthenticated RCE exploit used in real attacks?
Yes. The Vega Research Team identified active exploitation beginning March 17, 2026, just five days after the patch was released. Shadowserver Foundation observed exploitation signs on March 31, 2026. The Weaver E-cology unauthenticated RCE exploit is actively being used in the wild.
Q4: What's the purpose of fanwei0324.msi?
Fanwei0324.msi is an installer (MSI) that installs malware as part of the Weaver E-cology unauthorized RCE exploit scheme. The file is named after the romanized Chinese version of Weaver (Fanwei) so that it looks like it has been authorized by the legitimate vendor. During the incident that was investigated, the installer was not able to create a valid installation; however, future attacks may produce successful installations.
Q5: How do I find out if my Weaver E-cology installation has been compromised?
Run the detection script written in Python by Independent Security Researcher Kerem Oruc to test whether your vulnerable endpoint can connect. Review your logs for POST requests made to the dubboApi endpoint. Search for instances of whoami, ipconfig, and tasklist executed unexpectedly from the Weaver service context. Also search for fanwei0324.msi in your file system.
