Weaver E-cology critical bug exploited in attacks since March

Source: Bleeping Computer

Overview

Hackers have been exploiting a critical vulnerability (CVE‑2026‑22679) in the Weaver E‑cology office automation platform since mid‑March to run discovery commands. The attacks began five days after the vendor released a security update to address the issue, and two weeks before the vulnerability was disclosed publicly.

Researchers at threat‑intelligence company Vega documented the malicious activity and reported that the attacks lasted roughly a week, each with several distinct phases.

Weaver E‑cology is an enterprise office‑automation (OA) and collaboration platform used for workflows, document management, HR, and internal business processes. The product is primarily used by Chinese organizations.

Vulnerability Overview

• CVE‑2026‑22679 – critical unauthenticated remote code execution (RCE) flaw affecting E‑cology 10.0 builds prior to March 12.
• Root cause: an exposed debug API endpoint that forwards user‑supplied parameters to backend Remote Procedure Call (RPC) functionality without authentication or input validation.
• Impact: attackers can supply crafted values that are executed as system commands on the server, effectively turning the endpoint into a remote command‑execution interface.

Attack Timeline

Activity timeline – Source: Vega

• Initial reconnaissance – attackers triggered ping commands from the Java process to a Goby‑linked callback to verify RCE capability.
• Payload attempts – multiple PowerShell‑based payload downloads were attempted but blocked by endpoint defenses.
• MSI deployment – a target‑aware MSI installer (fanwei0324.msi) was delivered but failed to execute; no follow‑up activity observed.
• Fileless PowerShell – attackers reverted to the RCE endpoint, using obfuscated, fileless PowerShell to repeatedly fetch remote scripts.
• System enumeration – throughout all phases, commands such as whoami, ipconfig, and tasklist were executed.

Vega notes that, although the RCE opportunity existed, the attackers never established a persistent session on the targeted host.

Mitigation and Recommendations

• Users of Weaver E‑cology 10.0 should apply the security updates available through the vendor’s site as soon as possible: Security Update (build 20260312).
• The vendor fix (build 20260312) removes the debug endpoint entirely, eliminating the attack surface.
• No alternative mitigations or workarounds are listed in the official bulletin; upgrading is the only recommended action.

“Every attacker process we observed is parented by java.exe (Weaver’s Tomcat‑bundled Java Virtual Machine), with no preceding authentication,” explained Vega. “The vendor fix removes the debug endpoint entirely.” – Vega blog post