Description
Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC).
Published: 2026-04-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated remote attacker can send crafted XML-RPC requests to the XmlRpcServlet endpoint and cause the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods to read any file on the server. The vulnerability allows leakage of sensitive configuration data and database credentials, potentially compromising overall system confidentiality. The weakness is a path‑traversal style flaw captured by CWE‑22.

Affected Systems

The affected product is Weaver Network Co., Ltd.’s E‑cology 9.5, for all releases prior to 10.52. The issue exists in the XML‑RPC interface of the platform and may impact any installation that has not been updated to the 10.52 release or later.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating high severity, and the EPSS score is not available. It is not listed in the CISA KEV catalog, but the Shadowserver Foundation reported first exploitation on December 14, 2022. The likely attack vector is remote unauthenticated access to the XML-RPC service over the network. An attacker who succeeds can read arbitrary files, including configuration files and credentials, leading to data exposure and potential further compromise of the system.

Generated by OpenCVE AI on May 1, 2026 at 05:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a version that includes the fix, such as E‑cology 10.52 or newer.
  • Restrict network access to the XmlRpcServlet endpoint by configuring firewalls or access control lists so that only trusted hosts can reach the XML‑RPC service.
  • Enable detailed logging for XML‑RPC calls and monitor logs for anomalous file‐read requests, and consider deploying a web application firewall to block unauthorized XML‑RPC traffic.

Generated by OpenCVE AI on May 1, 2026 at 05:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Weaver
Weaver e-cology
Vendors & Products Weaver
Weaver e-cology

Thu, 30 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC).
Title Weaver E-cology 9.5 Unauthenticated Arbitrary File Read via XmlRpcServlet
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Weaver E-cology
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-30T17:30:25.448Z

Reserved: 2026-04-29T17:34:46.642Z

Link: CVE-2022-50992

cve-icon Vulnrichment

Updated: 2026-04-30T17:30:20.917Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T17:16:24.633

Modified: 2026-04-30T17:19:57.853

Link: CVE-2022-50992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:21:14Z

Weaknesses