{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/weaver-ecology/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-22679"}],"_cs_exploited":true,"_cs_products":["E-cology 10.0","Windows"],"_cs_severities":["critical"],"_cs_tags":["rce","weaver-ecology","cve-2026-22679","exploitation"],"_cs_type":"threat","_cs_vendors":["Weaver","Microsoft"],"content_html":"\u003cp\u003eA critical unauthenticated remote code execution vulnerability, tracked as CVE-2026-22679, has been actively exploited in Weaver E-cology office automation software since mid-March 2026. The vulnerability impacts E-cology 10.0 builds prior to March 12, 2026, allowing attackers to execute arbitrary system commands without authentication. Threat actors were observed attempting to download and execute PowerShell-based payloads, as well as performing reconnaissance activities to gather information about the compromised systems. Weaver E-cology is primarily used by Chinese organizations. Defenders should prioritize patching vulnerable systems to prevent potential compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker exploits CVE-2026-22679, an unauthenticated RCE vulnerability in Weaver E-cology 10.0.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to an exposed debug API endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request bypasses authentication and input validation, allowing the attacker to inject commands.\u003c/li\u003e\n\u003cli\u003eThe injected commands are executed as system commands within the context of the Java process (java.exe) hosting Weaver\u0026rsquo;s Tomcat server.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to download and execute a target-aware MSI installer (fanwei0324.msi).\u003c/li\u003e\n\u003cli\u003eThe attacker uses obfuscated and fileless PowerShell to repeatedly fetch remote scripts after initial attempts are blocked by endpoint defenses.\u003c/li\u003e\n\u003cli\u003eThe attacker executes reconnaissance commands, such as \u003ccode\u003ewhoami\u003c/code\u003e, \u003ccode\u003eipconfig\u003c/code\u003e, and \u003ccode\u003etasklist\u003c/code\u003e, to gather information about the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker aims to establish a persistent session on the targeted host but, according to the report, has not been successful.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22679 allows attackers to execute arbitrary system commands on vulnerable Weaver E-cology servers, potentially leading to complete system compromise. The attackers can perform reconnaissance, install malware, exfiltrate sensitive data, or disrupt business operations. Given the software\u0026rsquo;s use in workflows, document management, HR, and internal business processes, a successful attack could have significant consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security updates provided by Weaver to address CVE-2026-22679 on all E-cology 10.0 installations prior to build 20260312.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events where the parent process is \u003ccode\u003ejava.exe\u003c/code\u003e (Weaver\u0026rsquo;s Tomcat-bundled Java Virtual Machine) for suspicious command-line arguments using the \u0026ldquo;Detect Weaver E-cology RCE via Java Process\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of processes executing reconnaissance commands (\u003ccode\u003ewhoami\u003c/code\u003e, \u003ccode\u003eipconfig\u003c/code\u003e, \u003ccode\u003etasklist\u003c/code\u003e) after java.exe, using the \u0026ldquo;Detect Reconnaissance Activity After Weaver E-cology RCE\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect network connections initiated by the \u003ccode\u003ejava.exe\u003c/code\u003e process, filtering for connections to uncommon or suspicious destinations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T12:00:00Z","date_published":"2026-05-05T12:00:00Z","id":"/briefs/2026-05-weaver-ecology-rce/","summary":"A critical unauthenticated remote code execution vulnerability (CVE-2026-22679) in Weaver E-cology office automation software is being actively exploited to execute system commands and reconnaissance activities on affected servers.","title":"Weaver E-cology Unauthenticated RCE Exploitation","url":"https://feed.craftedsignal.io/briefs/2026-05-weaver-ecology-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Weaver-Ecology","version":"https://jsonfeed.org/version/1.1"}