Weaver E-cology 10.0 Unauthenticated RCE via dubboApi Debug Endpoint

Description

Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).

Affected Products

Vendor	Product	Versions
weaver network co.	e-cology	0

References

https://www.weaver.com.cn/cs/securityDownload.html#(release-notes)
https://h4cker.zip/post/d5d211/(technical-description, exploit)
https://ti.qianxin.com/vulnerability/notice-detail/1760(third-party-advisory)
https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-via-dubboapi-debug-endpoint(third-party-advisory)

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-22679 | Weaver Network e-cology 10.0/2026-03-31 POST Request method interfaceName/methodName missing authentication

→ No new info (linked only)

CVSS 3.19.8 NONE

CISA KEV✅ Yes

Actively exploited✅ Yes

Patch available

20260312

CWECWE-306

PublishedApr 7, 2026

Last enriched3h agov2

Trending Score111🔥

Source articles1

Independent1

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated severity to CRITICAL, added exploit availability, and provided a more detailed description of the vulnerability.

descriptionseverityexploitAvailableactivelyExploited

via VulDB

v13h ago

Initial creation