PT-2026-30819 · Fanwei · Weaver E-Cology
Daniel Messing
·
Published
2026-04-07
·
Updated
2026-06-05
·
CVE-2026-22679
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Weaver (Fanwei) E-cology versions prior to 20260312
Description
An unauthenticated remote code execution issue exists due to exposed debug functionality. Attackers can execute arbitrary system commands by sending crafted POST requests to the '/papi/esearch/data/devops/dubboApi/debug/method' endpoint. This is achieved by controlling the
interfaceName and methodName parameters to reach command-execution helpers. Real-world exploitation has been observed since mid-March, with evidence first noted by the Shadowserver Foundation on 2026-03-31 (UTC).Recommendations
Update to version 20260312 or later.
As a temporary workaround, restrict access to the '/papi/esearch/data/devops/dubboApi/debug/method' endpoint to minimize the risk of exploitation.
Exploit
Fix
RCE
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Weaver E-Cology