Description
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).
Published: 2026-04-07
Score: 9.3 Critical
EPSS: 21.5% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated’s E‑Cology 10.0 software, triggered through the /papi/esearch/data/devops/dubboApi/debug/method endpoint. The endpoint accepts POST requests with interfaceName and methodName parameters that an attacker can control, leading the system to invoke command‑execution helpers and run arbitrary shell commands. This weakness is categorized as a lack of proper authentication control (CWE‑306) and allows a remote actor to gain full control over the affected environment.

Affected Systems

The vulnerability affects all releases of Weaver Network Co., Ltd.’s E‑Cology 10.0 software prior to the 20260312 release. No other vendors or product variants are listed as impacted.

Risk and Exploitability

The CVSS score of 9.3 classifies the issue as critical, and the EPSS score of 21% indicates a relatively high likelihood of real‑world exploitation. The attack path requires no authentication and can be executed by sending crafted POST requests over HTTP to the debug endpoint. Although the vulnerability is not yet listed in CISA’s KEV catalog, documented exploitation by the Shadowserver Foundation and the high severity metrics suggest that it represents a significant risk to any exposed installation.

Generated by OpenCVE AI on June 18, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Block or restrict HTTP access to the /papi/esearch/data/devops/dubboApi/debug/method endpoint until a vendor patch or measure is available.
  • Check the Weaver Network Co., Ltd. website for security advisories or firmware updates and apply them as soon as a fix is released.
  • If a newer E‑Cology 10.0 release (20260312 or later) becomes available, plan an upgrade of the software to remove the vulnerability.

Generated by OpenCVE AI on June 18, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 14:30:00 +0000

Type Values Removed Values Added
References

Fri, 24 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:weaver:e-cology:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Weaver
Weaver e-cology
Vendors & Products Weaver
Weaver e-cology

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).
Title Weaver E-cology 10.0 Unauthenticated RCE via dubboApi Debug Endpoint
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Weaver E-cology
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T13:39:47.937Z

Reserved: 2026-01-08T19:04:26.365Z

Link: CVE-2026-22679

cve-icon Vulnrichment

Updated: 2026-04-07T13:30:29.686Z

cve-icon NVD

Status : Modified

Published: 2026-04-07T13:16:45.400

Modified: 2026-06-17T10:20:13.370

Link: CVE-2026-22679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T04:30:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function