Weaver E-cology critical bug exploited in attacks since March

Published:

4 mei 2026 om 22:12:57

Alert date:

4 mei 2026 om 23:00:43

Source:

bleepingcomputer.com

Enterprise Applications, Zero-Day Vulnerabilities

A critical vulnerability (CVE-2026-22679) in Weaver E-cology office automation software has been actively exploited by hackers since mid-March. Attackers are leveraging this vulnerability to execute discovery commands on affected systems. The exploitation of this critical bug poses significant security risks to organizations using the Weaver E-cology platform. The ongoing attacks highlight the importance of immediate patching and security measures for affected systems.

Technical details

CVE-2026-22679 is a critical unauthenticated remote code execution flaw affecting Weaver E-cology 10.0 builds prior to March 12. The flaw is caused by an exposed debug API endpoint that improperly allows user-supplied parameters to reach backend Remote Procedure Call (RPC) functionality without authentication or input validation. This lets attackers pass crafted values that are executed as system commands on the server. Attackers used the vulnerability to run discovery commands, attempted PowerShell-based payload downloads, tried to deploy MSI installers, and executed reconnaissance commands like whoami, ipconfig, and tasklist. All processes observed were parented by java.exe (Weaver's Tomcat-bundled Java Virtual Machine).

Mitigation steps:

Users of Weaver E-cology 10.0 should apply the security updates available through the vendor's site as soon as possible. The vendor fix (build 20260312) removes the debug endpoint entirely. No alternative mitigations or workarounds are available, so upgrading is the only recommendation.

Affected products:

Weaver E-cology 10.0 (builds prior to March 12)