CVE-2026-22679

CRITICAL EPSS 97.3%
Published Apr 7, 20262mo ago · Modified Jun 17, 20261w ago
9.3 CVSS 4.0
Critical
Find Similar
Published Apr 7, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
97.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-306 Missing Authentication for Critical Function Authentication

Affected Products 1

VendorProductVersionRange
weavere-cology* <20260312

References 5

  • blog.vega.io https://blog.vega.io/posts/cve-2026-22679-weaver-ecology-exploitation/
  • h4cker.zip https://h4cker.zip/post/d5d211/
    Broken Link
  • ti.qianxin.com https://ti.qianxin.com/vulnerability/notice-detail/1760
    Third Party Advisory
  • vulncheck.com https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-via-dubboapi-debug-endpoint
    Third Party Advisory
  • weaver.com.cn https://www.weaver.com.cn/cs/securityDownload.html#
    Patch

Remediation

  • weaver.com.cn https://www.weaver.com.cn/cs/securityDownload.html#
    Patch