CVE-2022-50993

CVE-2022-50993 is an unauthenticated arbitrary file upload vulnerability affecting Weaver (Fanwei) E-Office versions prior to 10.0_20221201. The flaw resides in the OfficeServer.php endpoint, which permits remote attackers to upload malicious files through multipart POST requests using arbitrary filenames and disguised content types. This leads to the placement of files, such as PHP webshells, in the Document directory. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Any remote attacker can exploit this vulnerability without authentication, privileges, or user interaction by sending crafted HTTP requests to the vulnerable endpoint. Successful exploitation allows uploading and executing PHP webshells via subsequent HTTP GET requests, resulting in remote code execution with the privileges of the web server user. This grants attackers high confidentiality, integrity, and availability impacts, potentially enabling full server compromise.

Advisories, including those from the vendor at service.e-office.cn and third-party sources like Chaitin, CN-Sec, and VulnCheck, highlight the need to upgrade to Weaver E-Office version 10.0_20221201 or later to mitigate the issue. Exploitation evidence was first observed in the wild by the Shadowserver Foundation on 2022-10-10 (UTC), indicating active targeting prior to the CVE publication on 2026-04-30.