Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
Home/CyberSecurity News/Critical Weaver e-cology RCE Vulnerability Under Active Attack
CyberSecurity News

Critical Weaver e-cology RCE Vulnerability Under Active Attack

Key Takeaways A critical remote code execution (RCE) vulnerability, CVE-2026-22679, in Weaver E-cology 10.0 is under active exploitation. The flaw, rated 9.8 CVSS, affects builds released before...

Sarah simpson
Sarah simpson
May 5, 2026 3 Min Read
41 0

Key Takeaways

  • A critical remote code execution (RCE) vulnerability, CVE-2026-22679, in Weaver E-cology 10.0 is under active exploitation.
  • The flaw, rated 9.8 CVSS, affects builds released before March 12, 2026, stemming from an unauthenticated debug endpoint.
  • Exploitation was detected just five days after a vendor patch became available, highlighting rapid weaponization by threat actors.
  • Organizations must immediately update Weaver E-cology systems to build 20260312 or newer and enhance endpoint monitoring.

A severe, unauthenticated remote code execution (RCE) vulnerability within the Weaver E-cology platform is actively being exploited in ongoing attacks. This critical flaw, identified as CVE-2026-22679, holds a maximum CVSS score of 9.8, indicating its extreme severity. It impacts Weaver E-cology 10.0 systems with builds predating March 12, 2026.

Table Of Content

  • Key Takeaways
  • Weaver E-cology RCE Under Active Attack
  • What You Should Do
  • Indicators of Compromise (IOCs)
  • Network Indicators
  • File Hash
  • Filenames / Artifacts
  • Host Indicators

The core of the security weakness lies in an exposed debug endpoint that permits attackers to execute arbitrary system commands without requiring any form of authentication. By crafting and sending specific POST requests, malicious input can be directly passed to the underlying operating system.

Evidence of exploitation first surfaced on March 17, 2026, a mere five days after Weaver released an official patch. This swift weaponization underscores the agility of threat actors in leveraging newly disclosed vulnerabilities to compromise enterprise environments.

Weaver E-cology RCE Under Active Attack

The Vega Threat Research team has meticulously documented a series of attacks that commenced shortly after the vendor issued a fix. Attackers initiated their campaigns by confirming their RCE capabilities through simple network ping callbacks. They utilized the Java Virtual Machine bundled with Tomcat to issue ping commands directed at an infrastructure linked to the Goby vulnerability-scanning framework. This method allowed them to easily verify successful access by looking for unique marker tokens within the HTTP response body.

Following initial access confirmation, the operators aggressively attempted to deploy various malicious payloads over a three-day period. They endeavored to drop multiple executable files and a Windows Installer package, specifically named to mimic the targeted Weaver software. Fortunately, robust endpoint detection and response (EDR) systems successfully quarantined these attempts, effectively preventing the deployment of the malicious files onto the compromised systems.

After their initial payloads were blocked by security tools, the attackers pivoted to more advanced evasion techniques. They copied the legitimate Windows PowerShell executable and renamed it to a plain-text file to circumvent standard process-name-based detection. Through this renamed binary, they attempted to fetch and execute fileless PowerShell scripts directly in memory. However, these actions were also successfully intercepted by the target’s defenses.

Throughout the entire attack sequence, the threat actors consistently executed system discovery commands such as whoami and tasklist. Because the vulnerable debug endpoint echoes the output of executed commands directly within the HTTP response, the attackers did not need to establish a persistent shell on the victim host. This strict request-and-response behavior enabled them to conduct discovery and payload delivery concurrently and with minimal effort.

What You Should Do

  • Patch Immediately: Organizations running Weaver E-cology must urgently update their systems to build 20260312 or later. This update completely removes the vulnerable debug endpoint.
  • Monitor for Anomalous Processes: Actively monitor for unusual processes spawned by the Java Virtual Machine (java.exe), particularly those involving network utilities (e.g., ping.exe) or command-line interpreters (e.g., cmd.exe, powershell.exe). The Vega Threat Research team provides detailed insights into these indicators.
  • Strengthen Endpoint Defenses: Ensure robust endpoint detection and response (EDR) solutions are fully operational and configured to block suspicious activities and known indicators of compromise.
  • Review Network Traffic: Routinely audit network traffic to affected API paths within your Weaver E-cology deployment for any unauthorized or suspicious requests.
  • Implement IOCs: Integrate the provided Indicators of Compromise (IOCs) into your security information and event management (SIEM) systems, intrusion detection systems (IDS), and other threat intelligence platforms for proactive detection.

Indicators of Compromise (IOCs)

Network Indicators

IP Address Purpose Associated URLs / Activity
152.32.173[.]138 Callback verification (Goby framework) http://152.32.173[.]138/U<16hex>.<8hex>
205.209.116[.]54 Initial payload hosting /vsgbt.exe, /hjchhb.exe
161.132.49[.]114 Base64 stager hosting /config.js
141.11.89[.]42 MSI payload delivery /fanwei0324.msi
132.243.172[.]2 Fileless PowerShell scripts /config/xx.ps1, /w-2026/x.ps1

File Hash

File Name SHA256 Hash
fanwei0324[.]msi 147ac3f24b2b63544d65070007888195a98d30e380f2d480edffb3f07a78377f

Filenames / Artifacts

Filename Description
vsgbt[.]exe Initial stager
hjchhb[.]exe Initial stager
nvm[.]exe Fake Node Version Manager binary
fanwei0324[.]msi Malicious MSI installer
2[.]txt Renamed PowerShell binary
config[.]js Base64 stager
xx[.]ps1 / x[.]ps1 Fileless PowerShell payloads

Host Indicators

Indicator Type Description
Suspicious Processes java[.]exe spawning cmd[.]exe, powershell[.]exe, ping[.]exe
Exploitation Sign Unauthorized command execution via debug endpoint

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Cisco Acquires Astrix Security to Boost AI Agent and Non-Human Identity Security

Next Post

Critical Qualcomm Chipset Flaws Let Attackers Remotely Execute Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us