Critical Weaver E-cology RCE Vulnerability Actively Exploited in Attacks

A critical unauthenticated remote code execution vulnerability in the Weaver E-cology platform is currently being actively exploited in the wild.

CVE-2026-22679 carries a maximum CVSS score of 9.8 and affects Weaver E-cology 10.0 builds released before 20260312.

The security flaw exists in an exposed debug endpoint that allows attackers to execute arbitrary commands without requiring any authentication.

By sending specially crafted POST requests, attackers can pass malicious input directly to the operating system.

The earliest evidence of exploitation was observed on March 17, 2026, just five days after the vendor patch was released.

The Vega Threat Research team has uncovered a series of attacks that began just days after the vendor released an official patch.

This rapid weaponization highlights how quickly threat actors can adopt new exploits to compromise enterprise platforms.

Weaver E-cology RCE exploited

The attackers began their campaign by verifying their remote code execution capabilities through simple ping callbacks.

Using the Tomcat-bundled Java Virtual Machine, they launched a series of ping commands directed at a callback infrastructure associated with the Goby vulnerability-scanning framework.

This technique allowed the attackers to easily confirm their access by checking the HTTP response body for unique marker tokens.

Following their initial access, the operators aggressively attempted to deliver various malicious payloads over three days.

They tried to drop multiple executable files and a Windows Installer package specifically named to reflect the targeted Weaver software.

Fortunately, robust endpoint detection and response defenses successfully quarantined these attempts, effectively preventing the deployment of the malicious files.

After security tools blocked their initial payloads, the attackers shifted to active evasion.

They copied the legitimate Windows PowerShell executable into a plain-text file to bypass standard process-name detection.

Through this renamed binary, they attempted to fetch and execute fileless PowerShell scripts directly in memory. However, these actions were also successfully intercepted.

Throughout the attack sequence, the threat actors continuously executed system discovery commands like whoami and tasklist.

Because the vulnerable debug endpoint reflects the output of executed commands directly in the HTTP response, the attackers did not need to establish a persistent shell on the victim host.

This strict request-and-response behavior allowed them to effortlessly conduct discovery and payload delivery concurrently.

Organizations running Weaver E-cology must urgently update their systems to build 20260312 or later, which completely removes the vulnerable debug endpoint.

The Vega Threat Research teams should actively monitor for anomalous processes parented by the Java Virtual Machine, particularly those involving network utilities or command-line interpreters.

Implementing robust endpoint defenses and routinely reviewing network traffic to the affected API paths can also help identify potential compromise attempts.

Indicators of Compromise (IOCs)

Network Indicators

File Hash

Filenames / Artifacts

Host Indicators

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.