A critical security vulnerability affecting Weaver E-cology, an enterprise office automation and collaboration platform, is being actively exploited by attackers, posing a significant risk to organizations worldwide. The flaw, classified as CVE-2026-22679 with a severe CVSS score of 9.8, allows for unauthenticated remote code execution, enabling malicious actors to compromise systems without prior authorization.
The vulnerability specifically targets versions of Weaver E-cology 10.0 prior to the March 12, 2026 patch. It resides within the “/papi/esearch/data/devops/dubboApi/debug/method” endpoint. According to NIST National Vulnerability Database (NVD) descriptions, attackers can leverage this debug functionality by crafting specific POST requests to execute arbitrary commands on affected systems. This exposure presents a direct pathway for unauthorized system control.
Weaver E-cology Vulnerability Under Active Exploitation
The exploitation of the Weaver E-cology vulnerability has been confirmed by multiple security entities. The Shadowserver Foundation first detected signs of live attacks originating on March 31, 2026. Chinese cybersecurity vendor QiAnXin also successfully reproduced the remote code execution capabilities in their own analysis, releasing an alert on March 17, 2026.
More recently, the Vega Research Team reported identifying active exploitation of CVE-2026-22679, with the earliest evidence pointing to March 17, 2026. This date is notable as it falls just five days after patches were made available for the critical flaw, suggesting a rapid response from threat actors to capitalize on unpatched systems.
Details of the Attack Campaign
Security researcher Daniel Messing detailed observations of an intrusion campaign that unfolded over approximately one week. This activity included verification of the remote code execution, multiple failed attempts to deploy payloads, and an effort to install an MSI implant that ultimately did not succeed. The attackers also made brief attempts to download PowerShell payloads from infrastructure they controlled.
An MSI installer observed in the campaign bore the filename “fanwei0324.msi.” Israeli cybersecurity firm Vega Research indicated this naming convention may have been an attempt to disguise the malicious payload by using a romanized version of the Weaver platform’s name. Throughout these activities, the unknown threat actor was observed running standard reconnaissance commands, such as “whoami,” “ipconfig,” and “tasklist,” to gather information about the compromised environment.
Mitigation and Detection
To counter the threat posed by this Weaver E-cology vulnerability, security researcher Kerem Oruc has developed and shared a Python-based detection script. This script can identify vulnerable instances by probing the susceptible API endpoint for accessibility. Organizations utilizing Weaver E-cology are strongly advised to apply the latest security updates without delay to protect their systems from potential compromise.
The ongoing exploitation of CVE-2026-22679 underscores the importance of prompt patch management for enterprise software. As threat actors continue to target known vulnerabilities, organizations must maintain vigilance and ensure their systems are fortified with the latest security measures. The next expected step for affected users is the application of the provided patches, though vigilance against any residual attacker activity will also be crucial.