“Every attacker process we observed is parented by java.exe (Weaver’s Tomcat-bundled Java Virtual Machine), with no preceding authentication,” explained Vega.
CVE-2026-22679 and Weaver E-cology 10.0
The vulnerability tracked as CVE-2026-22679 is a critical unauthenticated remote code execution flaw affecting Weaver E-cology 10.0 builds prior to March 12. Vega, a threat intelligence company, reported that the flaw is caused by an exposed debug API endpoint that improperly allows user-supplied parameters to reach backend Remote Procedure Call (RPC) functionality without authentication or input validation. That chain permits attackers to pass crafted values that are ultimately executed as system commands on the server, effectively turning the endpoint into a remote command execution interface.
Attack timeline and observable phases
Vega recorded malicious activity beginning in mid‑March. The attacks started five days after the software vendor released a security update to address the issue, and two weeks before disclosing it publicly. The activity lasted roughly a week and unfolded in several distinct phases.
- Initial verification: attackers tested for remote code execution by triggering ping commands from the Java process to a Goby-linked callback.
- Payload download attempts: multiple PowerShell-based payload downloads followed, but Vega says those were blocked by endpoint defenses.
- MSI deployment attempt: the actors tried to deploy a target-aware installer named fanwei0324.msi; it failed to execute properly and Vega observed no follow-up from that vector.
- Reversion to RCE endpoint: after the failed MSI, attackers returned to the exposed debug API, using obfuscated and fileless PowerShell to repeatedly fetch remote scripts.
Reconnaissance, persistence, and defensive outcomes
Through all observed phases, the threat actors executed reconnaissance commands including whoami, ipconfig, and tasklist. Despite repeatedly exploiting the RCE opportunity provided by CVE-2026-22679, Vega reports the attackers never established a persistent session on the targeted host. Vega also notes that all attacker processes were parented by java.exe — Weaver’s Tomcat‑bundled Java Virtual Machine — and that there was no preceding authentication prior to those processes.
Vendor remediation: build 20260312 and the upgrade imperative
Vega reports the vendor issued a fix in build 20260312. “the vendor fix (build 20260312) removes the debug endpoint entirely,” Vega stated. The official bulletin contains no alternative mitigations or workarounds, leaving upgrading via the vendor’s site as the only recommended action. Users of Weaver E-cology 10.0 are advised to apply the security updates available through the vendor as soon as possible.
What this means for Weaver E-cology users and security teams
- Weaver E-cology users: apply the vendor update (build 20260312) immediately; the bulletin lists no other mitigations.
- Security teams and administrators: review logs for java.exe parented processes and the reconnaissance indicators Vega observed (whoami, ipconfig, tasklist), and verify that affected builds prior to March 12 have been upgraded.
The record Vega published is clear on technique and outcome: an exposed debug API turned into an unauthenticated command execution interface, attackers probed, attempted multiple delivery methods, and yet did not persist. The chronology — attacks beginning five days after the vendor’s fix and two weeks before public disclosure — is a sharp operational detail that will interest defenders and incident responders as they confirm patches and hunt for remnants. For now, the immediate next step is unambiguous: upgrade to build 20260312 and verify that the debug endpoint has been removed.
