Hackers have been exploiting a important vulnerability (CVE-2026-22679) within the Weaver E-cology workplace automation since mid-March to run discovery instructions.
The assaults began 5 days after the software program vendor launched a safety replace to deal with the problem, and two weeks earlier than disclosing it publicly.
Researchers at menace intelligence firm Vega documented the malicious exercise and reported that the assaults lasted roughly per week, every with a number of distinct phases.
Weaver E-cology is an enterprise workplace automation (OA) and collaboration platform used for workflows, doc administration, HR, and inner enterprise processes. The product is primarily utilized by Chinese language organizations.
CVE-2026-22679 is a important unauthenticated distant code execution flaw affecting E-cology 10.0 builds previous to March 12.
The flaw is brought on by an uncovered debug API endpoint that improperly permits user-supplied parameters to achieve backend Distant Process Name (RPC) performance with out authentication or enter validation.
This lets attackers cross crafted values which are finally executed as system instructions on the server, successfully turning the endpoint right into a distant command execution interface.
In response to Vega, the attackers first checked for distant code execution (RCE) capabilities by triggering ping instructions from the Java course of to a Goby-linked callback, after which proceeded to a number of PowerShell-based payload downloads. Nevertheless, all these have been blocked by endpoint defenses.
Subsequent, they tried to deploy a target-aware MSI installer (fanwei0324.msi), however this did not execute correctly, and no follow-up exercise was noticed.
After these failed makes an attempt, the attackers reverted to the RCE endpoint, utilizing obfuscated and fileless PowerShell to repeatedly fetch distant scripts.
All through all assault phases, the menace actors executed reconnaissance instructions, corresponding to whoami, ipconfig, and tasklist.
Supply: Vega
Vega explains that though the attackers had the RCE alternative by exploiting CVE-2026-22679, they by no means established a persistent session on the focused host.
Customers of Weaver E-cology 10.0 are advisable to apply the safety updates out there by means of the seller’s web site as quickly as doable.
“Each attacker course of we noticed is parented by java.exe (Weaver’s Tomcat-bundled Java Digital Machine), with no previous authentication,” defined Vega, including that “the seller repair (construct 20260312) removes the debug endpoint fully.”
No different mitigations or workarounds are listed within the official bulletin, so upgrading is the one advice.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Autonomous Validation Summit (Could 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
