Critical Vulnerability at Weaver Ecology allows remote code execution without authentication and is already in operation

A critical vulnerability in Weaver (also known as Fanwei) E-cology, a platform for office automation and business collaboration, is being actively exploited in real environments. The failure, recorded as CVE-2026-22679 and valued with a CVSS score of 9.8, allows remote execution of code without authentication in versions 10.0 prior to the update published on March 12, 2026, taking advantage of a debugging functionality displayed in the endpoint "/ Daddy / research / data / devops / dubboApi / debug / method." For the official technical description, see the NVD tab and the CVE record in MITRE: NVD CVE-2026-22679 and MITRE CVE-2026-22679.

The identified operating vector allows an attacker to send POST requests handled with parameters such as interfaceName and method to invoke command execution helpers integrated into the debugging API. As a failure without authentication requirement, malicious actors can compromise directly exposed servers from the Internet, raising the risk for organizations with publicly accessible or poorly segmented Weaver instances.

Security researchers and organizations monitoring threats detected exploitation activity from close to correction: some reports place the first signs on March 17, 2026, while additional observations appear from March 31. The abuse patterns described include remote execution verification, failed attempts to deploy payloads, an attempt to install through an MSI named to appear to be legitimate ("fanwei0324.msi") and a brief campaign to recover payloads through PowerShell from infrastructure controlled by the attackers. Basic recognition commands such as whoami, ipconfig and tasklist were also recorded throughout the intrusions.

From the operational point of view, this incident illustrates two recurring risks: first, that the tools and debugging endpoints left active in production software become back doors if they are not protected; second, that the published corrections do not automatically remove the exposure window because many corporate environments are slow to apply patches or do not have perimeter controls that block unwanted access.

If your organization uses Weaver E-cology, the immediate action required is to apply the official update published on March 12, 2026 or any subsequent patch that fixes CVE-2026-22679. In addition to the patch, it is appropriate to apply compensatory mitigation until the entire fleet is up-to-date: to restrict access to vulnerable endpoint by firewall or WAF rules, to block POST applications to suspicious routes, and to limit remote access to the application to only internal networks or authorized IP addresses.

In parallel to the mediation, it is recommended to carry out detection and research activities. This includes reviewing web and proxy logs for POST requests addressed to "/ Daddy / research / data / devops / dubboApi / debug / method" and unusual parameters in interfaceName / method, looking for traces of the "fanwei0324.msi" installer or other unauthorized MSI files, inspecting anomalous outgoing processes and connections, and checking the presence of webshells or rear doors. In the absence of specific tools, an endpoint accessibility scan from outside its perimeter allows to identify exposed instances that require immediate attention.

If you detect signs of commitment, isolate the affected machine, preserve records and volumes for forensic analysis, and consider restoring credentials and reviewing accounts with privileges. Coordinated intervention between network, security and operations teams is key to containing impact and avoiding internal pivots. It is also advisable to inform the supplier and, where appropriate, the authorities or incident response teams to share indicators and collaborate in containment.

To reduce the likelihood of such vulnerabilities emerging in the future, take structural measures: disable debugging functions in production environments, apply strict network segmentation for administrative applications, deploy and maintain WAF rules that block exposed management routes and establish rapid patching procedures for critical software. Continuous visibility through integrity monitoring, EDR and web traffic analysis helps to detect suspicious activity in early stages.

The case of Weaver E-cology is a reminder that business collaboration platforms, because of their critical nature and the access they often have to corporate data, are attractive targets for attackers. The combination of a vulnerability with active exploitation requires prioritizing the correction and hunting of indicators in their own environments to minimize the risk of intrusion and exfiltration.