Weaver E-cology essential bug exploited in assaults since March

Hackers have been exploiting a essential vulnerability (CVE-2026-22679) within the Weaver E-cology workplace automation since mid-March to run discovery instructions.

The assaults began 5 days after the software program vendor launched a security replace to handle the problem, and two weeks earlier than disclosing it publicly.

Researchers at risk intelligence firm Vega documented the malicious exercise and reported that the assaults lasted roughly every week, every with a number of distinct phases.

Weaver E-cology is an enterprise workplace automation (OA) and collaboration platform used for workflows, doc administration, HR, and inside enterprise processes. The product is primarily utilized by Chinese language organizations.

CVE-2026-22679 is a essential unauthenticated distant code execution flaw affecting E-cology 10.0 builds previous to March 12.

The flaw is attributable to an uncovered debug API endpoint that improperly permits user-supplied parameters to succeed in backend Distant Process Name (RPC) performance with out authentication or enter validation.

This lets attackers move crafted values which can be finally executed as system instructions on the server, successfully turning the endpoint right into a distant command execution interface.

In accordance with Vega, the attackers first checked for distant code execution (RCE) capabilities by triggering ping instructions from the Java course of to a Goby-linked callback, after which proceeded to a number of PowerShell-based payload downloads. Nevertheless, all these had been blocked by endpoint defenses.

Subsequent, they tried to deploy a target-aware MSI installer (fanwei0324.msi), however this did not execute correctly, and no follow-up exercise was noticed.

After these failed makes an attempt, the attackers reverted to the RCE endpoint, utilizing obfuscated and fileless PowerShell to repeatedly fetch distant scripts.

All through all assault phases, the risk actors executed reconnaissance instructions, similar to whoami, ipconfig, and tasklist.

Vega explains that though the attackers had the RCE alternative by exploiting CVE-2026-22679, they by no means established a persistent session on the focused host.

Customers of Weaver E-cology 10.0 are really helpful to use the security updates out there by the seller’s web site as quickly as attainable.

“Each attacker course of we noticed is parented by java.exe (Weaver’s Tomcat-bundled Java Digital Machine), with no previous authentication,” defined Vega, including that “the seller repair (construct 20260312) removes the debug endpoint totally.”

No different mitigations or workarounds are listed within the official bulletin, so upgrading is the one suggestion.