Hackers have been exploiting a essential vulnerability (CVE-2026-22679) within the Weaver E-cology workplace automation since mid-March to run discovery instructions.
The assaults began 5 days after the software program vendor launched a safety replace to handle the difficulty, and two weeks earlier than disclosing it publicly.
Researchers at menace intelligence firm Vega documented the malicious exercise and reported that the assaults lasted roughly every week, every with a number of distinct phases.
Weaver E-cology is an enterprise workplace automation (OA) and collaboration platform used for workflows, doc administration, HR, and inner enterprise processes. The product is primarily utilized by Chinese language organizations.
CVE-2026-22679 is a essential unauthenticated distant code execution flaw affecting E-cology 10.0 builds previous to March 12.
The flaw is brought on by an uncovered debug API endpoint that improperly permits user-supplied parameters to achieve backend Distant Process Name (RPC) performance with out authentication or enter validation.
This lets attackers move crafted values which might be in the end executed as system instructions on the server, successfully turning the endpoint right into a distant command execution interface.
In line with Vega, the attackers first checked for distant code execution (RCE) capabilities by triggering ping instructions from the Java course of to a Goby-linked callback, after which proceeded to a number of PowerShell-based payload downloads. Nevertheless, all these had been blocked by endpoint defenses.
Subsequent, they tried to deploy a target-aware MSI installer (fanwei0324.msi), however this did not execute correctly, and no follow-up exercise was noticed.
After these failed makes an attempt, the attackers reverted to the RCE endpoint, utilizing obfuscated and fileless PowerShell to repeatedly fetch distant scripts.
All through all assault phases, the menace actors executed reconnaissance instructions, reminiscent of whoami, ipconfig, and tasklist.
Supply: Vega
Vega explains that though the attackers had the RCE alternative by exploiting CVE-2026-22679, they by no means established a persistent session on the focused host.
Customers of Weaver E-cology 10.0 are really useful to apply the safety updates accessible by the seller’s website as quickly as doable.
“Each attacker course of we noticed is parented by java.exe (Weaver’s Tomcat-bundled Java Digital Machine), with no previous authentication,” defined Vega, including that “the seller repair (construct 20260312) removes the debug endpoint totally.”
No different mitigations or workarounds are listed within the official bulletin, so upgrading is the one advice.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Autonomous Validation Summit (Might 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
