Emerging Threats

Weaver E-cology Flaw Exploited Through Debug API Endpoint

Analyst 207||Source: TheHackerNews
Industrial control system in a factory setting with a nearby computer screen.

CVE-2026-22679, a critical remote code execution bug in Weaver (Fanwei) E-cology, carries a CVSS score of 9.8 and is under active exploitation in the wild.

The vulnerability: unauthenticated RCE via the debug API

The flaw affects Weaver E-cology 10.0 versions prior to 20260312 and resides in the exposed debug endpoint at "/papi/esearch/data/devops/dubboApi/debug/method." According to the NIST National Vulnerability Database (NVD), the endpoint permits unauthenticated command execution: "Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system." The severity rating — CVSS 9.8 — reflects the potential for full system compromise without authentication.

Observed timeline: detection, reproduction, and early abuse

Multiple organizations reported activity around the vulnerability in March 2026. Chinese security vendor QiAnXin said it successfully reproduced the remote code execution on March 17, 2026. The Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026. In a report published last week, the Vega Research Team attributed active exploitation to the flaw and placed the earliest evidence of abuse at March 17, 2026 — notably five days after patches were shipped for the flaw.

Attack activity and artifacts documented by Vega Research Team

Vega Research Team security researcher Daniel Messing summarized the intrusion as a roughly week-long sequence of operator actions: "RCE verification, three failed payload drops, an attempted pivot to an MSI implant that did not produce a working install, and a short burst of attempts to retrieve PowerShell payloads from attacker-controlled infrastructure." The MSI installer was observed using the filename "fanwei0324.msi," an apparent attempt to masquerade as a legitimate Weaver-related file. Throughout the campaign the unknown operator executed discovery commands such as whoami, ipconfig, and tasklist.

Detection and mitigation: scripts and updates

Detection and remediation options have been made available alongside public reporting. Security researcher Kerem Oruc released a Python-based detection script that identifies Weaver E-cology instances with the vulnerable API endpoint accessible. Users are explicitly advised to apply available updates if they have not already done so; the vulnerability affects versions prior to the 20260312 release marker.

How security teams, affected enterprises, and end users should respond

  • Security teams: verify whether any internal or customer-facing Weaver E-cology 10.0 instances match the vulnerable version string (prior to 20260312) and check accessibility of the "/papi/esearch/data/devops/dubboApi/debug/method" endpoint. Employ Kerem Oruc’s detection script where operationally appropriate and review logs for the behaviors Vega documented — RCE verification attempts, failed payload drops, requests for PowerShell payloads, and execution of discovery commands.
  • Affected enterprises and procurement leaders: prioritize application of the vendor-supplied updates for Weaver E-cology 10.0, validate patch deployment across environments, and consider post-patch forensics for systems that were internet-accessible between March 17 and March 31, 2026, when early exploitation activity was observed.
  • End users and administrators: restrict external access to administrative or debug endpoints where possible, and report any unexpected MSI installers (for example, files named "fanwei0324.msi") or unexplained command activity to incident response teams.

The record in public reporting is straightforward: a severe, unauthenticated debug API in Weaver E-cology enabled remote command execution; proof-of-concept reproduction and active exploitation were observed in March 2026; and investigators documented an attempted deployment cycle that included staged payloads and discovery commands. Patches exist and detection tooling is available, but the Vega Research Team’s findings — including the use of a plausibly named MSI and attempts to retrieve further payloads — underscore that operators moved quickly after the flaw became public. A central, practical question remains for organizations using Weaver E-cology: have all internet-exposed instances been updated and scanned for signs of the specific attacker behaviors recorded here?

Original reporting: thehackernews.com — Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API

Emerging ThreatsNation-StateRemote Code ExecutionSupply ChainVulnerability ManagementExploitation In The WildCVE-2026-22679Weaver E-cologyDebug APIUnauthenticated RCE
Related Intelligence

Continue Reading

Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207
Rows of network equipment and devices on racks in a dimly lit, empty server room.

Credential Attacks Target Fortinet, Sophos, MSSQL Devices in Large-Scale Campaign

A large-scale password spraying and credential theft campaign, dubbed "FortiBleed," is targeting Fortinet devices, with attempts also seen against MSSQL services and Sophos devices, warns Unit 42. This coordinated attack has sparked concerns over widespread credential attacks.

Analyst 207