Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Weaver E-cology 10.0 unauthenticated RCE flaw (CVE-2026-22679)

Vulnerability
First reported
Last updated
Happening score
H score 44
2 unique sources, 2 articles

Summary

Hide ▲

CVE-2026-22679 exposed Weaver E-cology 10.0 to unauthenticated remote code execution on builds prior to March 12, allowing attackers to run system commands on the server. The flaw was actively exploited from mid-March, but the vendor’s build 20260312 removes the debug endpoint and is the only stated fix.

Related Happenings

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Open Happening

Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

Campaign
First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...

Open Happening

Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave

Exploitation Wave
First: 26.03.2026 18:00 Last: 26.03.2026 18:00 Sources 1

About this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...

Open Happening

CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551

Public Sector Action
First: 04.02.2026 07:50 Last: 04.02.2026 07:50 Sources 1

About this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...

Open Happening

Timeline

  1. 05.05.2026 10:37 1 articles · 22d ago

    Weaver E-cology CVE-2026-22679 abuse traced to March 17

    Exploitation Observed

    Evidence of active abuse against Weaver (Fanwei) E-cology CVE-2026-22679 dates to March 17, 2026, with QiAnXin also saying it reproduced the unauthenticated remote code execution flaw that day in its alert.

    Show sources
    Open in new tab
  2. 05.05.2026 10:37 1 articles · 22d ago

    Shadowserver first observed exploitation on March 31

    Exploitation Observed

    Shadowserver Foundation observed the first signs of active exploitation against Weaver E-cology CVE-2026-22679 on March 31, 2026, confirming continued abuse of the vulnerable debug API endpoint for arbitrary command execution.

    Show sources
    Open in new tab
  3. 05.05.2026 10:37 2 articles · 22d ago

    Public reporting detailed the Weaver E-cology exploitation campaign

    Initial Disclosure

    Public reporting on Weaver E-cology CVE-2026-22679 described roughly a week of operator activity, including RCE verification, three failed payload drops, an attempted pivot to an MSI implant named fanwei0324.msi, short bursts of attempts to retrieve PowerShell payloads from attacker-controlled infrastructure, and discovery commands such as whoami, ipconfig, and tasklist; Kerem Oruc also released a Python-based detection script that checks whether the susceptible API endpoint is accessible.

    Show sources
    Open in new tab
  4. 05.05.2026 01:12 1 articles · 22d ago

    Vega reports active CVE-2026-22679 exploitation in Weaver E-cology

    Initial Disclosure

    Vega reported active exploitation of CVE-2026-22679 in Weaver E-cology 10.0 builds prior to March 12, with attackers running discovery commands since mid-March, first checking remote code execution by triggering ping commands from java.exe to a Goby-linked callback, then attempting multiple PowerShell-based payload downloads and a fanwei0324.msi installer before reverting to obfuscated fileless PowerShell; endpoint defenses blocked execution, no persistent session was established, and the vendor fix is build 20260312, which removes the debug endpoint entirely.

    Show sources
    Open in new tab