The Five-Day Race: Hackers Weaponize Critical Weaver E-cology RCE via Exposed Debugging API

Adversaries commenced the exploitation of a critical vulnerability within Weaver E-cology a mere few days following the release of its remediation. These incursions were executed with surgical precision rather than as a broad campaign, underscoring the celerity with which malicious actors audit enterprise systems for nascent vulnerabilities.

The flaw in question, designated CVE-2026-22679, constitutes a remote code execution (RCE) defect residing in Weaver E-cology 10.0 builds predating March 12, 2026. This platform is extensively deployed for office automation, document management, HR operations, and the internal workflows of numerous organizations.

Weaver disseminated a patch on March 12, yet the technical specifics were disclosed only subsequently. According to the Vega research collective, the inaugural assaults materialized approximately five days after the update’s release and a full fortnight prior to the official notification. This activity spanned roughly one week and unfolded across several sophisticated stages.

The root cause was traced to an exposed debugging API. This unauthenticated interface permitted user-defined parameters to bypass security checks and interact directly with server-side RPC functions. Consequently, interlopers could transmit meticulously crafted values that the server executed as privileged system commands. A synonymous vector—the failure to validate input prior to authentication—was notably leveraged during the October 2025 offensives against WatchGuard hardware.

Initially, the assailants verified the feasibility of remote code execution via Java-process ping commands directed toward a callback address associated with Goby. Subsequent attempts were made to deploy PowerShell scripts; however, endpoint protection utilities successfully thwarted these maneuvers.

Following these unsuccessful deployments, the adversaries attempted to execute a tailored MSI installer, “fanwei0324.msi,” specifically engineered for the target environment. The file failed to function as intended, and Vega specialists observed no further activity via this particular conduit.

The attackers eventually returned to the vulnerable RCE interface, utilizing obfuscated PowerShell in a fileless execution manner to repeatedly retrieve remote scripts. Throughout every stage, reconnaissance commands such as whoami, ipconfig, and tasklist were invoked to map the environment.

Vega clarifies that all observed processes originated from java.exe—the Java Virtual Machine embedded within the Tomcat instance utilized by Weaver. There were no indications of prior authentication. Despite the successful execution of code, the adversaries failed to establish a persistent foothold or maintain a stable session on the targeted host.

The official security bulletin provides no temporary workarounds. Users of Weaver E-cology 10.0 are urged to expedite the installation of the most recent build, as version 20260312 entirely eradicates the hazardous debugging interface.