Unauthenticated RCE in Weaver E-cology via Debug API Endpoint (CVE-2026-22679) Actively Exploited in the Wild

First reported

05.05.2026 10:37

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

An unauthenticated remote code execution (RCE) vulnerability (CVE-2026-22679, CVSS 9.8) in Weaver E-cology 10.0 prior to 20260312 is being actively exploited. The flaw exists in the debug API endpoint `/papi/esearch/data/devops/dubboApi/debug/method`, enabling attackers to execute arbitrary commands via crafted POST requests with malicious `interfaceName` and `methodName` parameters. Exploitation activity was first observed by the Shadowserver Foundation on March 31, 2026, with evidence dating back to March 17, 2026—five days after patches were released. The threat actor demonstrated operational sophistication, including failed payload deployments, discovery commands (e.g., `whoami`, `ipconfig`, `tasklist`), and attempts to retrieve PowerShell payloads from attacker-controlled infrastructure.

Timeline

05.05.2026 10:37 1 articles · 18h ago

Active exploitation of Weaver E-cology RCE vulnerability (CVE-2026-22679) confirmed
Exploitation activity targeting Weaver E-cology 10.0 via the debug API endpoint `/papi/esearch/data/devops/dubboApi/debug/method` was observed starting March 17, 2026. The threat actor demonstrated operational maturity, including failed payload deployments, reconnaissance commands, and attempts to retrieve additional payloads from attacker-controlled infrastructure. Evidence indicates exploitation began five days after patches were released, with initial detection by the Shadowserver Foundation on March 31, 2026.
Show sources

Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API — thehackernews.com — 05.05.2026 10:37
Open in new tab

Information Snippets

The vulnerability affects Weaver E-cology 10.0 versions prior to 20260312 and allows unauthenticated RCE via the `/papi/esearch/data/devops/dubboApi/debug/method` endpoint.
First reported: 05.05.2026 10:37

1 source, 1 article
Show sources
- Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API — thehackernews.com — 05.05.2026 10:37
CVE-2026-22679 has a CVSS score of 9.8 and enables arbitrary command execution through attacker-controlled `interfaceName` and `methodName` parameters in POST requests.
First reported: 05.05.2026 10:37

1 source, 1 article
Show sources
- Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API — thehackernews.com — 05.05.2026 10:37
Active exploitation was first observed by the Shadowserver Foundation on March 31, 2026, with earliest evidence dating back to March 17, 2026, five days after patches were released.
First reported: 05.05.2026 10:37

1 source, 1 article
Show sources
- Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API — thehackernews.com — 05.05.2026 10:37
The threat actor attempted to deploy an MSI installer named `fanwei0324.msi` to masquerade as a legitimate Weaver update during the campaign.
First reported: 05.05.2026 10:37

1 source, 1 article
Show sources
- Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API — thehackernews.com — 05.05.2026 10:37
Discovery commands executed by the actor included `whoami`, `ipconfig`, and `tasklist`, indicating post-exploitation reconnaissance efforts.
First reported: 05.05.2026 10:37

1 source, 1 article
Show sources
- Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API — thehackernews.com — 05.05.2026 10:37
A Python-based detection script has been made available by security researcher Kerem Oruc to identify vulnerable Weaver E-cology instances by checking the accessibility of the susceptible API endpoint.
First reported: 05.05.2026 10:37

1 source, 1 article
Show sources
- Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API — thehackernews.com — 05.05.2026 10:37

Summary

Timeline

Active exploitation of Weaver E-cology RCE vulnerability (CVE-2026-22679) confirmed

Information Snippets