CVE-2026-22679
Unauthenticated RCE in Weaver E-cology 10.0 Debug Endpoint
Publication date: 2026-04-07
Last updated on: 2026-05-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weaver | e-cology | to 20260312 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-22679 is a critical unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands on affected systems without any authentication.
Such a vulnerability can severely impact the confidentiality, integrity, and availability of data and systems, which are core principles in many compliance standards such as GDPR and HIPAA.
Exploitation of this vulnerability could lead to unauthorized access to sensitive personal or health information, data breaches, and system compromises, thereby violating regulatory requirements for data protection and security controls.
Organizations using affected versions of Weaver E-cology 10.0 prior to 20260312 must apply patches and follow security best practices to mitigate risks and maintain compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-22679 is a critical unauthenticated remote code execution (RCE) vulnerability in Weaver (Fanwei) E-cology 10.0 versions prior to 20260312. It exists in the debug endpoint at /papi/esearch/data/devops/dubboApi/debug/method. Attackers can send specially crafted POST requests with manipulated interfaceName and methodName parameters to invoke exposed debug functionality, allowing them to execute arbitrary commands on the affected system without any authentication.
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and has a very high severity score (CVSS v4 base score of 9.3 and CVSS v3.1 base score of 9.8), indicating it can be exploited remotely with low complexity and no privileges or user interaction required, resulting in high impact on confidentiality, integrity, and availability.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the affected system, which can lead to full system compromise. Attackers can gain control over the system, potentially stealing sensitive data, modifying or deleting information, disrupting services, or using the system as a foothold for further attacks.
Because no authentication or user interaction is required, the risk of exploitation is very high, making affected systems highly vulnerable to remote attacks that can severely impact confidentiality, integrity, and availability of the system and its data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP requests to the vulnerable endpoints and analyzing the responses for specific error messages or behaviors indicating exploitability.
- For the dubboApi RCE vulnerability, send a POST request to /papi/esearch/data/devops/dubboApi/debug/method with query parameters interfaceName=com.weaver.dw.platform.spark.util.LinuxCommand and methodName=execCmdWaitStdOut, using Content-Type: application/json and an empty JSON array body ([]). A response with HTTP 200 and JSON containing "code":500 and "msg":"η³»η»ιθ――" indicates the vulnerability.
- For the xmReport RCE vulnerability, send a GET request to /papi/archive/aux/xmReport/preview expecting a 405 Method Not Allowed response with specific error messages, then a POST request with Content-Type: application/x-www-form-urlencoded and an empty body. A HTTP 200 response with JSON containing "code":500 and "msg":"η³»η»ιθ――" confirms the vulnerability.
- For the saveSignAddrsInfo RCE vulnerability, send a POST request to /papi/calendar/saveSignAddrsInfo with Content-Type: application/json; charset=utf-8 and an empty JSON object ({}), followed by a GET request to /papi/calendar/getSignAddrsInfo with a dynamic key parameter. Responses indicating missing parameters and successful interface return confirm the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official security patches released for Weaver E-cology 10.0 versions on or after 20260312 that address this vulnerability.
Additionally, follow general security best practices such as:
- Regularly update passwords with high complexity (minimum 13 characters including uppercase, lowercase, numbers, and special characters).
- Strictly prohibit exposing remote desktop ports (e.g., 3389, 22) to the internet; only necessary ports like 80, 89, 8088 should be open.
- Perform offsite and off-media backups of applications and databases before applying patches.
- For systems with extensive custom development, test patches in a staging environment prior to production deployment.
- Restrict access to sensitive microservice ports (e.g., 8099, 2098, 8090, 9300, 20981) to prevent internet exposure.