Hackers have been exploiting a critical flaw in Weaver E-cology office automation software since mid-March to run discovery commands, according to a technical analysis by Vega. The activity targeted CVE-2026-22679 in E-cology 10.0 builds released before March 12.
KEY FACTS
- Software Weaver E-cology is used for workflows, document management, HR, and other internal business processes.
- Vulnerability CVE-2026-22679 is an unauthenticated remote code execution flaw.
- Timeline Attacks began five days after the vendor released a fix and about two weeks before public disclosure.
- Impact Attackers ran reconnaissance commands and tried several payloads, but no persistent session was established.
The flaw comes from an exposed debug API endpoint that lets user-supplied parameters reach backend RPC functions without authentication or input validation. That allows crafted values to be executed as system commands on the server.
Vega said the attackers first tested RCE by triggering ping commands from the Java process to a callback, then tried PowerShell-based downloads that were blocked by endpoint defenses. They later attempted to deploy an MSI installer named fanwei0324.msi, which did not execute properly.
After those failures, the attackers returned to the RCE endpoint and used obfuscated, fileless PowerShell to repeatedly fetch remote scripts. Across the activity, they ran commands including whoami, ipconfig, and tasklist.
The vendor says the security update for E-cology 10.0 removes the debug endpoint entirely. The official bulletin lists no alternative mitigations or workarounds, so upgrading is the only recommended response.
WHY IT MATTERS
The attacks show that exposed management functions can be used quickly after a fix is released, even before wider disclosure. For organizations running affected versions, the issue can provide a direct path to command execution and system discovery until the update is installed.