Critical Unauthenticated RCE in Weaver E-cology 10.0 — CVE-2026-22679 (CVSS 9.8)

CVE-2026-22679 is a critical unauthenticated remote code execution vulnerability in Weaver (Fanwei) E-cology 10.0, a widely-used enterprise collaboration and OA (Office Automation) platform popular in Chinese enterprises and multinational organizations. The vulnerability exists in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, which fails to properly authenticate requests before processing them. An unauthenticated remote attacker can send specially crafted requests to this endpoint to execute arbitrary code on the server with the privileges of the application process. The CVSS v3 base score is 9.8 (Critical). Versions prior to the 20260312 (March 12, 2026) patch are vulnerable. Weaver E-cology is commonly deployed in enterprise environments handling sensitive business processes, HR data, and internal communications, making successful exploitation particularly damaging. Mitigations: Apply the Weaver E-cology patch released on March 12, 2026 (version 20260312) immediately. If patching is not immediately possible, implement WAF rules to block requests to the vulnerable endpoint. Ensure E-cology is not directly exposed to the internet. Review access logs for exploitation attempts targeting the dubboApi endpoint.