A critical unauthenticated remote code execution vulnerability in Weaver E-cology is currently exploited by threat actors in active attacks.
The flaw (CVE-2026-22679, CVSS 9.8) affects Weaver E-cology 10.0 versions before patch 20260312. Weaver, also known as Fanwei, develops enterprise office automation and collaboration software deployed across thousands of organizations, particularly in Asia.
The vulnerability exists in the "/papi/esearch/data/devops/" debug API endpoint. Attackers bypass authentication entirely and execute arbitrary code on vulnerable servers without credentials. This represents the highest severity classification and allows complete system compromise.
The attack requires no prior access or special privileges. An attacker sends a malformed request to the exposed debug endpoint and gains code execution within the target environment. This simplicity dramatically increases risk for organizations running unpatched versions.
Weaver E-cology operates as a central collaboration hub for many enterprises, handling email, file storage, workflow automation, and document management. Compromise enables attackers to steal sensitive business data, inject persistent backdoors, deploy ransomware, or pivot to connected systems on the network.
Active exploitation confirms threat actors have weaponized the flaw. Organizations should prioritize immediate patching to version 20260312 or later. For systems that cannot be updated immediately, administrators should restrict network access to the "/papi/esearch/" path using firewalls or web application firewalls, implement strict monitoring for requests to the vulnerable endpoint, and isolate E-cology servers from critical infrastructure where possible.
Weaver E-cology deployments commonly operate in air-gapped or restricted networks, but internet-facing instances remain at immediate risk. Organizations should scan their environments to identify exposed E-cology instances and verify patch status across all servers.