WEAVER (Fanwei) E-cology contains a critical unauthenticated remote code execution flaw, CVE-2026-22679, affecting Weaver E-cology 10.0 versions prior to 20260312, and it is actively exploited via a debug API endpoint at /papi/esearch/data/devops/dubboApi/debug/method. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system, according to the NVD description.
Shadowserver Foundation observed the first signs of active exploitation on 31 March 2026, while QiAnXin reported reproducing the vulnerability in its alert on 17 March 2026; Vega Research Team later said it identified active exploitation dating back to 17 March 2026, five days after patches were shipped on 12 March 2026.
The campaign involved RCE verification, three failed payload drops, an attempted pivot to an MSI implant named fanwei0324[.]msi, and attempts to retrieve PowerShell payloads from attacker-controlled infrastructure, with discovery commands such as whoami, ipconfig and tasklist observed. A Python-based detection script by Kerem Oruc was released to help identify vulnerable Weaver E-cology instances, and users are advised to apply the updates to stay protected.