Hackers have been exploiting a critical vulnerability (**CVE-2026-22679**) in the **Weaver E-cology** office automation platform since mid-March to run discovery commands. The attacks began a mere five days after the software vendor released a security update to address the issue, and two weeks before publicly disclosing the vulnerability. **Vega**, a threat intelligence company, documented the malicious activity, reporting that the attacks spanned approximately one week, each comprising several distinct phases. **Weaver E-cology** is an enterprise office automation (OA) and collaboration platform utilized for managing workflows, documents, HR processes, and internal business operations. The platform is primarily used by Chinese organizations. ## CVE-2026-22679: A Deep Dive **CVE-2026-22679** represents a critical unauthenticated remote code execution flaw affecting **E-cology** 10.0 builds prior to March 12. The root cause of the vulnerability lies in an exposed debug API endpoint. This endpoint improperly permits user-supplied parameters to interact with backend Remote Procedure Call (RPC) functionality, bypassing both authentication and input validation mechanisms. This oversight enables attackers to inject crafted values that are subsequently executed as system commands on the server, effectively transforming the endpoint into a remote command execution interface. ## Attack Analysis According to **Vega**'s analysis, the attackers initially tested for remote code execution (RCE) capabilities by triggering ping commands from the Java process to a Goby-linked callback. Following this, they attempted to download multiple PowerShell-based payloads. However, these attempts were thwarted by endpoint defenses. Subsequently, the attackers attempted to deploy a target-aware MSI installer (`fanwei0324.msi`). This attempt also failed, and no further activity was observed related to this approach. Following these unsuccessful attempts, the attackers reverted to exploiting the RCE endpoint. They employed obfuscated and fileless PowerShell scripts to repeatedly fetch remote scripts. Throughout all phases of the attack, the threat actors consistently executed reconnaissance commands, including `whoami`, `ipconfig`, and `tasklist`.  **Vega** emphasizes that despite having the opportunity to execute arbitrary code via **CVE-2026-22679**, the attackers did not establish a persistent session on the targeted host. ## Mitigation Users of **Weaver E-cology** 10.0 are strongly advised to apply the security updates available on the vendor’s website as soon as possible. "Every attacker process we observed is parented by `java.exe` (**Weaver’s** Tomcat-bundled Java Virtual Machine), with no preceding authentication," **Vega** explained, adding that "the vendor fix (build 20260312) removes the debug endpoint entirely." No alternative mitigations or workarounds are provided in the official bulletin; therefore, upgrading to the latest patched version is the only recommended course of action. <div> <h2>99% of What Mythos Found Is Still Unpatched.</h2> <p>AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.</p> <p>At the Autonomous Validation Summit (May 12 &amp; 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.</p> Claim Your Spot </div>