Introduction
An exposed debugging endpoint in Weaver's E-cology 10.0 platform allows unauthenticated attackers to execute arbitrary system commands on the underlying server, and the Shadowserver Foundation has confirmed active exploitation in the wild since late March 2026. With a CVSS 3.1 score of 9.8 and trivial exploitation requirements, this vulnerability poses a serious risk to any organization running an unpatched instance.
Weaver Network Technology Co., Ltd. is a publicly traded Chinese technology corporation (Shanghai Stock Exchange, Stock Code 603039) founded in 2001 and headquartered in Shanghai. The company specializes in collaborative management and Office Automation platforms, with its flagship E-cology product widely deployed across enterprises in the Asia Pacific region, including operations in Singapore, Malaysia, Indonesia, Thailand, Vietnam, and Australia. As a core enterprise collaboration tool, E-cology instances often hold sensitive organizational data and sit within internal network perimeters, making them high value targets.
Technical Information
Root Cause: Missing Authentication on a Debug Endpoint
The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The /papi/esearch/data/devops/dubboApi/debug/method endpoint in E-cology 10.0 was designed for internal debugging of Dubbo service interfaces. However, it was deployed in production without any authentication or authorization controls. Any network reachable attacker can interact with this endpoint directly, with no credentials, session tokens, or prior application interaction required.
How the Endpoint Works
The endpoint accepts HTTP POST requests with a JSON body. Two parameters in the request are critical:
interfaceName: Specifies the fully qualified Java class name to invoke.methodName: Specifies the method on that class to call.
Both parameters are entirely attacker controlled. The application uses these values to dynamically resolve and invoke the specified Java class and method on the server side. The actual command payload is passed via a JSON array in the request body.
Known Exploitation Paths
Security researchers have identified at least two class/method combinations that lead directly to arbitrary command execution:
Target Class (interfaceName) | Target Method (methodName) | Description |
|---|---|---|
com.weaver.dw.platform.spark.util.LinuxCommand | execCmdWaitStdOut | A Weaver internal utility that directly executes Linux commands and returns stdout |
cn.hutool.core.util.RuntimeUtil | execForStr | A Hutool library method wrapping Runtime.exec() that returns output as a string |
Attack Flow
- Reconnaissance: The attacker identifies an internet facing E-cology 10 instance, for example through Shodan, Censys, or targeted scanning.
- Crafting the Request: The attacker constructs an HTTP POST request to
/papi/esearch/data/devops/dubboApi/debug/methodwith a JSON body specifying one of the knowninterfaceName/methodNamepairs and the desired system command in a JSON array. - Execution: The server processes the request, dynamically resolves the specified class and method, and executes the attacker supplied command on the host operating system.
- Response: A successful exploitation attempt typically returns an HTTP 200 status code. The response body contains indicators such as
"code":500and"msg":"系统错误"(System Error), which paradoxically confirm that the command execution helper was reached and invoked.
The entire attack requires a single HTTP request and no prior authentication, making it highly amenable to automated scanning and mass exploitation.
Affected Systems and Versions
- Product: Weaver (Fanwei) E-cology 10.0
- Affected Versions: All E-cology 10.0 versions prior to security patch v20260312
- Fixed Version: Security patch v20260312 (released 2026-03-12)
- Vulnerable Endpoint:
/papi/esearch/data/devops/dubboApi/debug/method
Any E-cology 10.0 deployment that has not applied the v20260312 patch and is reachable over the network (especially internet facing instances) should be considered vulnerable.
Vendor Security History
Weaver's platforms have been the subject of prior security disclosures. In late 2024, CVE-2024-48072, a SQL injection vulnerability in Weaver Ecology v9, was disclosed and cataloged by national cybersecurity agencies including CISA. The recurrence of critical vulnerabilities in Weaver products underscores the importance of proactive patch management and network segmentation for organizations relying on these platforms.
References
- VulnCheck Advisory: Weaver E-cology 10.0 Unauthenticated RCE via dubboApi Debug Endpoint
- QAX CERT Vulnerability Notice
- Weaver Security Download Center
- Weaver Security Update Notification (v20260312)
- Technical Analysis and PoC Details (h4cker.zip)
- Independent Vulnerability Analysis (gm7.org)
- CVE-2024-48072 Detail (NVD)
- CISA Vulnerability Summary, Week of November 18, 2024
