Weaver e-cology Security Alert: Patch Your OA Systems Now

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Weaver e-cology, a widely used collaboration and office automation (OA) platform in China, was recently found vulnerable to a frontend file upload flaw that can lead to remote code execution (RCE).

Weaver has already released a patch to fix the issue. Our team at Chaitin Security Response Center analyzed and reproduced the vulnerability and released detection tools to help admins verify whether their deployments are affected.

Vulnerability Overview

• Type: Arbitrary File Upload → RCE
• Severity: High
• Attack Vector: Network (unauthenticated)
• Scope: Exploitable only in internal networks and under cluster deployment mode
• Impact: Remote command execution on the affected OA server

⚠️ Note: The exploit surface is very limited. Only Weaver e-cology deployments using cluster mode are impacted. Most standard single-node setups are not affected.

Detection Tools

To make it easier for sysadmins and security teams to check exposure, Chaitin has published two tools:

X-POC (Remote Detection)

xpoc -r 404 -t http://10.1.1.1

Download:

• GitHub Repository
• Chaitin Stack Tool Page

CloudWalker (Local Detection)

./weaver_ecology_frontend_file_upload_vuln_scanner_windows_amd64.exe

Download:

• Chaitin Stack Tool Page

Affected Versions

• e-cology 9 → Patch version < 10.58.3
• e-cology 8 → Patch version < 10.58.3

Solutions

Official Patch

Weaver has released updated patches.

👉 Download from official site

Temporary Mitigation

• Restrict network access with ACLs, only allowing trusted IP ranges.
• Avoid exposing the system directly to the internet unless necessary.

Product Support

• YunTu → Supports fingerprinting of Weaver products by default.
• DongJian → Emergency update package 6.12.3 to be released July 31.
• SafeLine WAF → Virtual patch released to block exploitation attempts.
• QuanXi → Rule update package released, supports detection of exploitation.
• CloudWalker → Users on 23.05.001+ can download emergency vuln intel pack EMERVULN-23.07.028 for detection.

Timeline

• 2025-07-25 → Weaver publishes advisory and patch
• 2025-07-26 → Chaitin emergency team receives intelligence
• 2025-07-27 → Vulnerability analysis and reproduction completed
• 2025-07-28 → Chaitin Security Response Center publishes advisory

TL;DR

• Weaver e-cology cluster deployments had a file upload → RCE flaw.
• Exploitable only in internal networks, reducing real-world risk.
• Patch 10.58.3 fixes the issue — update immediately.
• Detection tools (X-POC, CloudWalker) are available for admins to verify exposure.
• SafeLine WAF users are already protected via virtual patch.

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

• GitHub Repository
• Official Docs
• Discord Community