A severe vulnerability has been discovered in the Weaver E-cology platform, allowing remote code execution without authentication. This flaw, identified as CVE-2026-22679, has a critical CVSS score of 9.8 and affects versions released before March 12, 2026. The vulnerability stems from an exposed debug endpoint that permits attackers to run arbitrary commands via crafted POST requests. Exploitation was first detected on March 17, 2026, shortly after the vendor issued a patch. The Vega Threat Research team reported a swift wave of attacks that began soon after the patch release, underscoring the speed at which threat actors can leverage new vulnerabilities.
The attackers initially verified their remote code execution abilities by utilizing simple ping callbacks through the Tomcat-bundled Java Virtual Machine. This method involved sending ping commands to a callback infrastructure linked with the Goby vulnerability-scanning framework, allowing them to confirm access by examining the HTTP response body for specific marker tokens. Over the course of three days, the attackers attempted to deploy various malicious payloads, including executable files and a Windows Installer package named after the Weaver software. However, these efforts were thwarted thanks to effective endpoint detection and response measures.
When their initial payloads were blocked, the attackers resorted to evasive tactics, such as disguising the Windows PowerShell executable as a plain-text file to evade detection. They aimed to execute fileless PowerShell scripts directly in memory, but these attempts were intercepted as well. Throughout the attack, the threat actors executed system discovery commands due to the debug endpoint's capability to reflect command outputs in HTTP responses. This eliminated the need for a persistent shell on the compromised system and allowed concurrent discovery and payload delivery.
Organizations using Weaver E-cology must urgently update to build 20260312 or later to eliminate the vulnerability. Security teams are advised to monitor for unusual processes linked to the Java Virtual Machine, especially those involving network utilities or command-line interpreters. Additionally, strengthening endpoint defenses and regularly reviewing network traffic to the affected API paths can help detect potential threats.


