Weaver E-cology Flaws Expose Servers to Unauthenticated RCE and File Read
Weaver (Fanwei) E-cology deployments are affected by two high-severity vulnerabilities that allow unauthenticated attackers to compromise exposed servers. CVE-2026-22679 impacts E-cology 10.0 versions prior to 20260312 and enables remote code execution through the /papi/esearch/data/devops/dubboApi/debug/method endpoint, where attacker-controlled interfaceName and methodName POST parameters can abuse exposed debug functionality to run arbitrary commands. The issue is classified as CWE-306 and carries high impact across confidentiality, integrity, and availability, with exploitation observed in the wild by the Shadowserver Foundation.
A second flaw, CVE-2022-50992, affects E-cology 9.5 versions prior to 10.52 and allows unauthenticated arbitrary file reads through the XmlRpcServlet XML-RPC interface. Attackers can supply file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods to retrieve sensitive files from the server, including configuration data and database credentials. The vulnerability is mapped to CWE-22, and Shadowserver reported exploitation evidence dating back to 2022, underscoring continued exposure risk for internet-facing E-cology systems that remain unpatched.
Timeline
Apr 30, 2026
VulnCheck receives disclosure for Weaver E-cology 9.5 file-read flaw
VulnCheck's disclosure channel newly received CVE-2022-50992 on April 30, 2026. The vulnerability affects Weaver E-cology 9.5 versions prior to 10.52.
Apr 7, 2026
VulnCheck receives disclosure for Weaver E-cology 10.0 RCE
VulnCheck's disclosure channel newly received CVE-2026-22679 on April 7, 2026. The vulnerability affects Weaver E-cology 10.0 versions prior to 20260312.
Mar 31, 2026
Shadowserver observes exploitation of Weaver E-cology 10.0 RCE flaw
The Shadowserver Foundation first observed exploitation of CVE-2026-22679, an unauthenticated remote code execution vulnerability in Weaver E-cology 10.0's /papi/esearch/data/devops/dubboApi/debug/method endpoint. The issue can be abused through attacker-controlled interfaceName and methodName parameters to execute arbitrary commands.
Dec 14, 2022
Shadowserver observes exploitation of Weaver E-cology 9.5 file-read flaw
The Shadowserver Foundation first observed exploitation of CVE-2022-50992, an unauthenticated arbitrary file read vulnerability in Weaver E-cology 9.5's XmlRpcServlet XML-RPC endpoint. The flaw allows remote attackers to read arbitrary files, including sensitive configuration files and database credentials.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Critical OS Command Injection in IceWarp via `X-File-Operation` Header
Government cyber agencies in Belgium and Canada warned of a **critical unauthenticated OS command injection** vulnerability in *IceWarp* (tracked as **CVE-2025-14500**, **CVSS 9.8**) that can allow a remote attacker to execute arbitrary commands on affected servers. The flaw is described as **CWE-78** and is tied to improper validation of user-controlled input in the `X-File-Operation` HTTP header, enabling code execution with high privileges (e.g., **SYSTEM** on Windows or **root** on Linux), with severe impact to confidentiality, integrity, and availability. Both advisories urge immediate patching across impacted IceWarp product lines and versions, including *IceWarp Epos Update 2*, *Epos Update 1*, *Epos (1st generation)*, and *Deep Castle and older versions*. Recommended fixed versions include upgrading to **14.2.0.12+** (Epos Update 2), **14.1.0.20+** (Epos Update 1), **14.0.0.18+** (Epos 1st gen), and **13.0.3.13+** (Deep Castle/older), alongside heightened monitoring and detection while remediation is underway.
1 months ago
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
1 months ago
Critical Root Access and Arbitrary File Write Flaws Disclosed in Network-Exposed Systems
Two high-severity vulnerabilities were disclosed affecting exposed application and device management surfaces, including a flaw that can give attackers **root access** and another that enables **arbitrary file write** through path traversal. **CVE-2026-3587** describes an unauthenticated remote attack path in a hidden CLI function that lets an attacker escape a restricted prompt and gain root access to the underlying Linux operating system, potentially leading to full device compromise. The issue was mapped to `CWE-912` and assigned a `CVSS v3.1` score vector of `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`, with CERT VDE publishing advisory `VDE-2026-020`. A separate vulnerability, **CVE-2026-5027**, affects Langflow's `POST /api/v2/files` endpoint, where improper sanitization of the multipart `filename` parameter allows path traversal using `../` sequences. An authenticated attacker can exploit the bug to write files to arbitrary filesystem locations, creating a route to compromise confidentiality, integrity, and availability. The flaw was classified as `CWE-22`, carries the `CVSS v3.1` vector `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, and is referenced in Tenable advisory `TRA-2026-26`.
1 months ago