🚨 BREAKING

Weaver E-office RCE: Unauthenticated File Upload Exploit Active

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-434
Weaver E-office RCE: Unauthenticated File Upload Exploit Active

A critical unauthenticated arbitrary file upload vulnerability, tracked as CVE-2022-50993, impacts Weaver (Fanwei) E-office versions prior to 10.0_20221201. The National Vulnerability Database indicates that the OfficeServer.php endpoint is susceptible to remote attackers uploading malicious files. This is achieved by crafting multipart POST requests with arbitrary filenames and disguised content types.

Attackers can leverage this flaw to upload PHP webshells directly into the Document directory. Once uploaded, these webshells can be executed via simple HTTP GET requests, leading to remote code execution (RCE) with the privileges of the web server user. The National Vulnerability Database highlights that evidence of exploitation was first observed by the Shadowserver Foundation on October 10, 2022, underscoring the active threat this vulnerability poses.

With a CVSS score of 9.8, this vulnerability presents a critical risk. It’s a classic case of CWE-434 (Unrestricted Upload of File with Dangerous Type), enabling threat actors to establish persistence and expand their foothold within affected environments without prior authentication. The implications for data confidentiality, integrity, and availability are severe.

What This Means For You

  • If your organization uses Weaver (Fanwei) E-office, prioritize patching to version 10.0_20221201 or later immediately. This RCE allows unauthenticated attackers to gain full control of your web server. Audit your web server logs for suspicious file uploads to `OfficeServer.php` or unusual PHP file executions in your Document directories from October 2022 onwards.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Web Shell Persistence T1059.004 Command and Scripting Interpreter: PHP Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2022-50993 - Weaver E-office Unauthenticated File Upload

Sigma YAML — free preview 
title: CVE-2022-50993 - Weaver E-office Unauthenticated File Upload
id: scw-2026-04-30-ai-1
status: experimental
level: critical
description: |
  Detects the unauthenticated arbitrary file upload vulnerability in Weaver E-office (CVE-2022-50993). This rule looks for POST requests to the OfficeServer.php endpoint, which is characteristic of the exploit. The presence of a .php extension in the URI and a referer containing '/eoffice/' further narrows down the detection to this specific vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2022-50993/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/eoffice/main/OfficeServer.php'
      cs-method|exact:
          - 'POST'
      sc-status|exact:
          - '200'
      uri|contains:
          - '.php'
      referer|contains:
          - '/eoffice/'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2022-50993 RCE Weaver (Fanwei) E-office < 10.0_20221201
CVE-2022-50993 Arbitrary File Upload OfficeServer.php endpoint
CVE-2022-50993 Arbitrary File Upload Multipart POST request with arbitrary filename and disguised content type
CVE-2022-50993 RCE Upload PHP webshells to Document directory and execute via HTTP GET

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 30, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-3833 — Gnutls Information Disclosure

CVE-2026-3833 — A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name`...

vulnerabilityCVEmedium-severityinformation-disclosurecwe-178
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-36763 — The /Api/Blade-Desk/Notice/Submit Endpoint Of SpringBlade Cross-Site Scripting (XSS)

CVE-2026-36763 — A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /6.1 /⚑ 2 IOCs /⚙ 5 Sigma

CVE-2026-36761 — The /Msg/MsgInner/Save Endpoint Of JeeSite Cross-Site Scripting (XSS)

CVE-2026-36761 — A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /6.1 /⚑ 2 IOCs /⚙ 3 Sigma