Weaver E-cology RCE CVE-2026-22679 Exploited via Debug API
Security researchers have confirmed that the enterprise office‑automation platform Weaver E‑cology, developed by Fanwei, is being actively exploited in the wild. The flaw, tracked as CVE‑2026‑22679, is a critical remote‑code‑execution (RCE) vulnerability that resides in the platform’s internal debug API and has been given a CVSS v3 score of 9.8. The issue enables an unauthenticated attacker to execute arbitrary code on both Windows and Linux servers running the affected software, making it a high‑priority target for threat actors. The findings were first reported by The Hacker News.
The attack vector leverages the exposed /api/debug/ endpoint, which was left without proper authentication for diagnostic purposes. By sending a specially crafted HTTP POST request that includes a Base64‑encoded command in the "cmd" parameter, attackers can trigger the server’s command‑execution routine. Trend Micro’s telemetry captured payloads such as "powershell -enc
Successful exploitation provides attackers with a foothold on the organization’s internal network, allowing data exfiltration, credential harvesting, and lateral movement to critical assets such as ERP and CRM systems. In observed incidents, the compromised OA server was used to pivot to adjacent file shares, exfiltrating sensitive documents and user credentials. The intruders also attempted to deploy a ransomware payload, though the campaign was halted by the victim’s endpoint detection before encryption could complete.
Fanwei has released version 10.5.2 of E‑cology, which disables the debug API by default and adds proper authentication checks. Administrators are advised to update immediately, block external access to the /api/debug/ path at the perimeter, and monitor for the IOCs listed in the vendor’s advisory. Organizations unable to patch should consider disabling the debug service entirely via the configuration file and apply network segmentation to limit the impact of any future compromise.