Weaver E-cology Arbitrary File Read via XML-RPC (CVE-2022-50992)
The National Vulnerability Database has detailed CVE-2022-50992, an arbitrary file read vulnerability impacting Weaver (Fanwei) E-cology versions prior to 10.52. This flaw resides in the XmlRpcServlet interface, specifically at the XML-RPC endpoint. Unauthenticated remote attackers can exploit this by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods.
This unauthenticated access allows attackers to retrieve sensitive files, including system configuration files and database credentials directly from the server. The National Vulnerability Database notes that exploitation evidence for this vulnerability was first observed by the Shadowserver Foundation on 2022-12-14 (UTC), indicating active exploitation in the wild. With a CVSS score of 7.5 (HIGH), this is a critical exposure for affected organizations.
The attacker’s calculus here is straightforward: unauthenticated access to system configuration and database credentials is a goldmine. It’s a direct path to privilege escalation, data exfiltration, and further network compromise. Defenders need to recognize this as a critical initial access vector that bypasses standard authentication controls.
What This Means For You
- If your organization uses Weaver (Fanwei) E-cology, you need to immediately identify all instances and ensure they are patched to version 10.52 or higher. Prioritize this fix. Check your logs for any suspicious access attempts to the XML-RPC endpoint, specifically looking for calls to `WorkflowService.getAttachment` and `WorkflowService.LoadTemplateProp` from external IPs. Assume compromise if unpatched systems were internet-facing.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2022-50992 - Weaver E-cology Arbitrary File Read via XML-RPC
title: CVE-2022-50992 - Weaver E-cology Arbitrary File Read via XML-RPC
id: scw-2026-04-30-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2022-50992 by targeting the XML-RPC servlet with requests to WorkflowService.getAttachment, indicating an attempt to read arbitrary files from the Weaver E-cology application.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2022-50992/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/weaver/sys/lxrm/xmlrpc/servlet'
cs-uri-query|contains:
- 'WorkflowService.getAttachment'
condition: cs-uri AND cs-uri-query
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2022-50992 | Information Disclosure | Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 |
| CVE-2022-50992 | Path Traversal | XmlRpcServlet interface at the XML-RPC endpoint |
| CVE-2022-50992 | Path Traversal | WorkflowService.getAttachment method |
| CVE-2022-50992 | Path Traversal | WorkflowService.LoadTemplateProp method |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 30, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-3833 — Gnutls Information Disclosure
CVE-2026-3833 — A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name`...
CVE-2026-36763 — The /Api/Blade-Desk/Notice/Submit Endpoint Of SpringBlade Cross-Site Scripting (XSS)
CVE-2026-36763 — A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via...
CVE-2026-36761 — The /Msg/MsgInner/Save Endpoint Of JeeSite Cross-Site Scripting (XSS)
CVE-2026-36761 — A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via...