CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Unauthenticated remote code execution in Weaver E-cology exploited prior to public disclosure

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Since mid-March 2026, attackers have exploited an unauthenticated remote code execution vulnerability (CVE-2026-22679) in Weaver E-cology, an enterprise office automation platform widely used by Chinese organizations. The flaw exists in versions prior to March 12 and stems from an exposed, unauthenticated debug API endpoint that improperly processes user-supplied parameters, allowing arbitrary system command execution via crafted RPC inputs. Exploitation began five days after the vendor released a security update and two weeks before public disclosure, with the threat actors conducting multi-stage operations focused on reconnaissance and lateral movement prior to detection. No persistent access was established on compromised hosts despite successful exploitation attempts.

Timeline

  1. 05.05.2026 01:12 1 articles · 23h ago

    Exploitation of Weaver E-cology RCE prior to public disclosure, mid-March 2026

    Unauthenticated remote code execution in Weaver E-cology versions prior to March 12, 2026, was exploited starting mid-March by attackers conducting reconnaissance and evasion operations. Exploitation occurred five days after a vendor patch release and two weeks before public disclosure. The attack vector relied on an exposed debug API endpoint enabling arbitrary system command execution via crafted RPC inputs. Threat actors attempted payload deployment and persistence but were blocked by endpoint defenses; all activity was parented by Weaver’s Java process without prior authentication.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-22679 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Weaver E-cology 10.0 builds prior to March 12, 2026.

    First reported: 05.05.2026 01:12
    1 source, 1 article
    Show sources

  • The vulnerability originates from an exposed debug API endpoint that fails to validate user input, enabling direct system command execution via backend RPC functionality without authentication.

    First reported: 05.05.2026 01:12
    1 source, 1 article
    Show sources

  • Exploitation began approximately mid-March 2026, five days after the vendor released a security update and two weeks prior to public disclosure.

    First reported: 05.05.2026 01:12
    1 source, 1 article
    Show sources

  • Attackers leveraged the RCE endpoint to execute discovery commands (e.g., whoami, ipconfig, tasklist), attempt PowerShell-based payload downloads, and deploy an MSI installer (fanwei0324.msi), though these actions were blocked by endpoint defenses.

    First reported: 05.05.2026 01:12
    1 source, 1 article
    Show sources

  • Threat actors used obfuscated, fileless PowerShell scripts to repeatedly fetch remote payloads via the compromised endpoint, maintaining reconnaissance focus throughout failed persistence attempts.

    First reported: 05.05.2026 01:12
    1 source, 1 article
    Show sources

  • All observed attack processes were parented by java.exe (Weaver’s Tomcat-bundled JVM), confirming the absence of prior authentication steps.

    First reported: 05.05.2026 01:12
    1 source, 1 article
    Show sources

  • The vendor’s fix (build 20260312) removes the debug endpoint entirely, with no alternative mitigations provided.

    First reported: 05.05.2026 01:12
    1 source, 1 article
    Show sources