Description
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).
Published: 2026-04-07
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated remote code execution vulnerability exists in Weaver E‑Cology 10.0 systems. The flaw is exposed via the /papi/esearch/data/devops/dubboApi/debug/method endpoint, which accepts arbitrary interfaceName and methodName parameters in POST requests. Attackers can trigger command‑execution helpers and run arbitrary shell commands, giving them full control over the affected system. The weakness corresponds to inappropriate authentication controls (CWE‑306).

Affected Systems

The vulnerability affects Weaver Network Co., Ltd.’s E‑Cology 10.0 software, with all versions released before 20260312 being vulnerable. No other vendors or product variants are known to be impacted.

Risk and Exploitability

The CVSS score of 9.3 denotes a critical severity. The EPSS score is unavailable, but the exploit was observed by the Shadowserver Foundation on 2026‑03‑31, indicating real-world use. Attackers can reach the debug endpoint over HTTP and craft malicious POST payloads to trigger the vulnerability; this attack path does not require prior authentication, as the endpoint lacks enforcement, making exploitation straightforward. The vulnerability is not yet listed in CISA’s KEV catalog, but its critical score and documented exploitation suggest high potential risk.

Generated by OpenCVE AI on April 7, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest E‑Cology 10.0 patch (20260312 or newer).
  • Verify the update by checking the installed version or release notes.
  • If patching cannot be performed immediately, block or restrict access to the /papi/esearch/data/devops/dubboApi/debug/method endpoint.

Generated by OpenCVE AI on April 7, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Weaver
Weaver e-cology
Vendors & Products Weaver
Weaver e-cology

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).
Title Weaver E-cology 10.0 Unauthenticated RCE via dubboApi Debug Endpoint
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Weaver E-cology
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T13:31:03.676Z

Reserved: 2026-01-08T19:04:26.365Z

Link: CVE-2026-22679

cve-icon Vulnrichment

Updated: 2026-04-07T13:30:29.686Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T13:16:45.400

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-22679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:33Z

Weaknesses