Skip to content
Threat Feed
critical threat exploited

Weaver E-cology Unauthenticated RCE Exploitation

A critical unauthenticated remote code execution vulnerability (CVE-2026-22679) in Weaver E-cology office automation software is being actively exploited to execute system commands and reconnaissance activities on affected servers.

A critical unauthenticated remote code execution vulnerability, tracked as CVE-2026-22679, has been actively exploited in Weaver E-cology office automation software since mid-March 2026. The vulnerability impacts E-cology 10.0 builds prior to March 12, 2026, allowing attackers to execute arbitrary system commands without authentication. Threat actors were observed attempting to download and execute PowerShell-based payloads, as well as performing reconnaissance activities to gather information about the compromised systems. Weaver E-cology is primarily used by Chinese organizations. Defenders should prioritize patching vulnerable systems to prevent potential compromise and data exfiltration.

Attack Chain

  1. The attacker exploits CVE-2026-22679, an unauthenticated RCE vulnerability in Weaver E-cology 10.0.
  2. The attacker sends a crafted HTTP request to an exposed debug API endpoint.
  3. The crafted request bypasses authentication and input validation, allowing the attacker to inject commands.
  4. The injected commands are executed as system commands within the context of the Java process (java.exe) hosting Weaver’s Tomcat server.
  5. The attacker attempts to download and execute a target-aware MSI installer (fanwei0324.msi).
  6. The attacker uses obfuscated and fileless PowerShell to repeatedly fetch remote scripts after initial attempts are blocked by endpoint defenses.
  7. The attacker executes reconnaissance commands, such as whoami, ipconfig, and tasklist, to gather information about the compromised system.
  8. The attacker aims to establish a persistent session on the targeted host but, according to the report, has not been successful.

Impact

Successful exploitation of CVE-2026-22679 allows attackers to execute arbitrary system commands on vulnerable Weaver E-cology servers, potentially leading to complete system compromise. The attackers can perform reconnaissance, install malware, exfiltrate sensitive data, or disrupt business operations. Given the software’s use in workflows, document management, HR, and internal business processes, a successful attack could have significant consequences.

Recommendation

  • Apply the security updates provided by Weaver to address CVE-2026-22679 on all E-cology 10.0 installations prior to build 20260312.
  • Monitor process creation events where the parent process is java.exe (Weaver’s Tomcat-bundled Java Virtual Machine) for suspicious command-line arguments using the “Detect Weaver E-cology RCE via Java Process” Sigma rule.
  • Monitor for the creation of processes executing reconnaissance commands (whoami, ipconfig, tasklist) after java.exe, using the “Detect Reconnaissance Activity After Weaver E-cology RCE” Sigma rule.
  • Inspect network connections initiated by the java.exe process, filtering for connections to uncommon or suspicious destinations.

Detection coverage 2

Detect Weaver E-cology RCE via Java Process

critical

Detects potential exploitation of Weaver E-cology RCE vulnerability by monitoring process creation events where java.exe is the parent process and the child process executes system commands.

sigma tactics: discovery, execution techniques: T1059.001 sources: process_creation, windows

Detect Reconnaissance Activity After Weaver E-cology RCE

high

Detects reconnaissance commands executed after a process spawned by java.exe, potentially indicating exploitation of Weaver E-cology vulnerability.

sigma tactics: discovery techniques: T1059.001 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →