Weaver E-cology RCE flaw exploited days after patch, weeks before disclosure

Attackers began hitting CVE-2026-22679, an unauthenticated RCE in Weaver E-cology 10.0, on March 17 — five days after the vendor shipped a fix and roughly two weeks before public disclosure. The bug stems from an exposed debug API endpoint that funnels user-supplied parameters into backend RPC calls without authentication or validation, letting crafted requests execute system commands directly under the Tomcat-bundled JVM.

Threat intelligence firm Vega traced a roughly week-long campaign with distinct phases: an initial Goby-style ping callback to confirm RCE, several PowerShell payload pulls that were blocked by endpoint defenses, a failed target-aware MSI installer (fanwei0324.msi), and a return to obfuscated, fileless PowerShell fetches. Reconnaissance via whoami, ipconfig, and tasklist ran throughout, but no persistent session was ever established on victim hosts.

Weaver E-cology is a collaboration and workflow platform used heavily by Chinese enterprises, making the install base regionally concentrated but operationally critical. The vendor’s build 20260312 removes the debug endpoint outright; no workarounds are offered, so patching is the only path. The compressed window between fix and exploitation underscores how quickly attackers reverse vendor patches into working exploits when disclosure lags.