Arbitrary File Read Vulnerability in Weaver E-cology by Fanwei
CVE-2022-50992

8.7HIGH

Key Information:

Vendor

Weaver Network Co., Ltd.

Status
E-cology
Vendor
CVE Published:
30 April 2026

What is CVE-2022-50992?

Weaver E-cology versions prior to 10.52 contain a vulnerability within the XmlRpcServlet interface at the XML-RPC endpoint. This flaw allows unauthenticated remote attackers to access and read sensitive files on the server by exploiting the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can potentially retrieve critical information such as system configurations and database credentials, which poses serious risks to data security. Exploit attempts leveraging this vulnerability were noted beginning December 14, 2022, by the Shadowserver Foundation.

Affected Version(s)

E-cology 0

References

https://www.weaver.com.cn/cs/securityDownload.html#
patch
https://www.weaver.com.cn/cs/ecology_full_log.html
release-notes
https://www.cnvd.org.cn/flaw/show/CNVD-2022-43245
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

The Shadowserver Foundation
.