A critical unauthenticated remote code execution (RCE) vulnerability, identified as CVE-2026-22679, has been discovered in the Weaver E-cology platform. This flaw, carrying a maximum CVSS score of 9.8, affects Weaver E-cology version 10.0 builds released before March 12, 2026. The vulnerability resides in an exposed debug endpoint that allows attackers to execute arbitrary commands without requiring authentication. By sending specially crafted POST requests, malicious actors can pass harmful input directly to the operating system, leading to potential system compromise.
Discovery and Initial Exploitation
The Vega Threat Research team first observed exploitation of this vulnerability on March 17, 2026, merely five days after Weaver released an official patch. This rapid weaponization underscores the speed at which threat actors can adopt new exploits to target enterprise platforms.
Attack Methodology
Attackers initiated their campaign by verifying their ability to execute remote code through simple ping callbacks. Utilizing the Tomcat-bundled Java Virtual Machine, they launched a series of ping commands directed at callback infrastructure associated with the Goby vulnerability-scanning framework. This technique enabled attackers to confirm their access by checking HTTP response bodies for unique marker tokens.
Following initial access, the attackers attempted to deliver various malicious payloads over three days. They tried to drop multiple executable files and a Windows Installer package specifically named to reflect the targeted Weaver software. Fortunately, robust endpoint detection and response (EDR) defenses successfully quarantined these attempts, preventing the deployment of malicious files.
Evasion Tactics
After initial payloads were blocked, attackers shifted to active evasion techniques. They copied the legitimate Windows PowerShell executable into a plain-text file to bypass standard process-name detection. Through this renamed binary, they attempted to fetch and execute fileless PowerShell scripts directly in memory. However, these actions were also intercepted by security measures.
Throughout the attack sequence, threat actors continuously executed system discovery commands like `whoami` and `tasklist`. The vulnerable debug endpoint reflects the output of executed commands directly in the HTTP response, allowing attackers to conduct discovery and payload delivery without establishing a persistent shell on the victim host.
Recommendations for Organizations
Organizations using Weaver E-cology should urgently update their systems to build 20260312 or later, which removes the vulnerable debug endpoint. Security teams should actively monitor for anomalous processes parented by the Java Virtual Machine, particularly those involving network utilities or command-line interpreters. Implementing robust endpoint defenses and routinely reviewing network traffic to the affected API paths can help identify potential compromise attempts.
Indicators of Compromise (IOCs)
Network Indicators:
– IP Address: 152.32.173[.]138
– Purpose: Callback verification (Goby framework)
– Associated Activity: http://152.32.173[.]138/U<16hex>.<8hex>
By staying vigilant and applying the recommended updates and monitoring strategies, organizations can mitigate the risks associated with this critical vulnerability.
