Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).
Articles & Coverage 2
AnalysisAI
Unauthenticated remote code execution in Weaver E-cology 10.0 (pre-20260312) allows attackers to execute arbitrary system commands via exposed debug functionality at /papi/esearch/data/devops/dubboApi/debug/method. Attackers exploit this by sending crafted POST requests with malicious interfaceName and methodName parameters to invoke command-execution helpers. Confirmed actively exploited (CISA KEV) with exploitation first observed by Shadowserver Foundation on March 31, 2026. Publicly available exploit code exists (h4cker.zip PoC), CVSS 9.8 (Critical), EPSS data not provided but real-world exploitation confirmed.
Technical ContextAI
This vulnerability affects Weaver E-cology 10.0, an enterprise collaboration and office automation platform widely deployed in Chinese organizations (CPE: cpe:2.3:a:weaver_network_co.,_ltd.:e-cology). The root cause is CWE-306 (Missing Authentication for Critical Function), where a Dubbo API debug endpoint at /papi/esearch/data/devops/dubboApi/debug/method lacks authentication controls and exposes dangerous debugging functionality to the public network. Dubbo is a popular Java RPC framework, and debug endpoints typically allow method invocation for troubleshooting. In this case, the interfaceName and methodName parameters accept attacker-controlled input that can reference internal command-execution utility classes, effectively turning the debug interface into a remote shell. The vulnerability bypasses all authentication mechanisms, making it directly exploitable from the internet without credentials.
RemediationAI
Immediately upgrade to Weaver E-cology 10.0 version 20260312 or later, which addresses this vulnerability according to the vendor security download page (https://www.weaver.com.cn/cs/securityDownload.html). Given confirmed active exploitation, this patch should be treated as an emergency deployment with priority over standard change management procedures. If immediate patching is not feasible, implement network-level controls to block external access to the /papi/esearch/data/devops/dubboApi/debug/* endpoint path using web application firewalls or reverse proxies, and restrict E-cology administrative interfaces to trusted internal networks only. Conduct forensic investigation on all E-cology instances to identify potential compromise indicators, including unusual process execution, unauthorized user accounts, web shell artifacts, or suspicious outbound network connections since March 31, 2026. Consult the VulnCheck advisory (https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-via-dubboapi-debug-endpoint) for additional technical indicators of compromise and detection guidance.
A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Rated high severity (CVSS 8.8), this v
Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet i
CVE-2025-34038 is an unauthenticated SQL injection vulnerability in Weaver E-cology 8.0's getdata.jsp endpoint that allo
A vulnerability was found in Weaver e-cology 8. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploit
An issue was discovered in Weaver e-cology 9.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploit
An issue in weaver e-cology v.10.0.2310.01 allows a remote attacker to execute arbitrary code via a crafted script to th
Weaver Ecology v9.* was discovered to contain a SQL injection vulnerability via the component. Rated critical severity (
An issue in Weaver E-cology v. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authen
A vulnerability was found in Weaver E-cology allows attackers use race conditions to bypass security mechanisms to uploa
A vulnerability was found in Weaver e-cology. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploit
E-cology has a directory traversal vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely explo
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19607
GHSA-vg4v-xjcr-x7p5