Fanwei E-office unauth file upload RCE (CVE-2022-50993)

Patch now - CVE-2022-50993 is a critical unauthenticated file upload vulnerability in Fanwei (Weaver) E-office versions prior to 10.0_20221201 that allows remote attackers to achieve remote code execution by uploading a PHP webshell. Exploitation evidence was first observed on 2022-10-10, and a patch is available in version 10.0_20221201.

Overview

CVE-2022-50993 affects the OfficeServer.php endpoint in Weaver (Fanwei) E-office, a widely used office automation suite in Chinese-speaking regions. The vulnerability stems from insufficient file type validation when processing multipart POST requests. An unauthenticated attacker can upload files with arbitrary filenames and disguised MIME types directly to the Document directory.

Once a malicious PHP file is uploaded, the attacker executes it via a simple HTTP GET request, achieving remote code execution with the privileges of the web server user. This allows full compromise of the application and underlying server.

Impact

• CVSS 9.8 (Critical) - no authentication or user interaction required
• Attack complexity: Low - exploitation requires only a crafted HTTP request
• Result: Complete loss of confidentiality, integrity, and availability
• Risk: Potential lateral movement within the internal network if the web server is not properly segmented

Remediation

1. Immediate action: Upgrade Fanwei E-office to version 10.0_20221201 or later. This patch adds proper file type validation and restricts upload destinations.
2. Mitigation (if patching is delayed): Restrict network access to the OfficeServer.php endpoint to trusted IP ranges only. Monitor web server logs for unexpected file uploads to the Document directory, particularly .php and .phtml files.
3. Detection: Look for POST requests to OfficeServer.php with suspicious file extensions in the filename parameter. Check the Document directory for unauthorized PHP files.

Security Insight

This vulnerability echoes a recurring pattern in enterprise office software: developers prioritize ease of file sharing over security validation. Fanwei E-office’s file upload mechanism relied on trusting client-supplied content types rather than validating file contents server-side - a mistake that has caused similar RCE vulnerabilities in products like Seeyon and Landray. Organizations running Chinese OA suites should treat file upload endpoints as critical attack surface, applying strict allowlists for file extensions and MIME types at the application layer, not the logic layer.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs