CVE-2022-50993
Published: 30 April 2026
Summary
CVE-2022-50993 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-50993 is an unauthenticated arbitrary file upload vulnerability affecting Weaver (Fanwei) E-Office versions prior to 10.0_20221201. The flaw resides in the OfficeServer.php endpoint, which permits remote attackers to upload malicious files through multipart POST requests using arbitrary filenames and disguised content types. This leads to the placement of files, such as PHP webshells, in the Document directory. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Any remote attacker can exploit this vulnerability without authentication, privileges, or user interaction by sending crafted HTTP requests to the vulnerable endpoint. Successful exploitation allows uploading and executing PHP webshells via subsequent HTTP GET requests, resulting in remote code execution with the privileges of the web server user. This grants attackers high confidentiality, integrity, and availability impacts, potentially enabling full server compromise.
Advisories, including those from the vendor at service.e-office.cn and third-party sources like Chaitin, CN-Sec, and VulnCheck, highlight the need to upgrade to Weaver E-Office version 10.0_20221201 or later to mitigate the issue. Exploitation evidence was first observed in the wild by the Shadowserver Foundation on 2022-10-10 (UTC), indicating active targeting prior to the CVE publication on 2026-04-30.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55965
Vulnerability details
Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and disguised content types. Attackers can…
more
upload PHP webshells to the Document directory and execute them via HTTP GET requests to achieve remote code execution as the web server user. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-10-10 (UTC).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2022-50993 allows unauthenticated arbitrary file upload to a public-facing web application endpoint, enabling exploitation of public-facing applications (T1190) and deployment/execution of PHP webshells for RCE (T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates file content types and payloads in multipart POST requests to OfficeServer.php, preventing uploads of malicious PHP webshells with disguised content types.
Restricts classes of allowed file types and filenames for uploads to the Document directory, blocking arbitrary dangerous files like PHP webshells.
Remediates the specific flaw in OfficeServer.php by applying vendor patches to Weaver E-Office version 10.0_20221201 or later, eliminating the vulnerability.