Weaver E-Cology Critical Bug Exploited in Attacks Since March

Weaver E‑cology, a widely deployed office‑automation suite in China, became the focus of a targeted campaign after a critical remote‑code‑execution flaw (CVE‑2026‑22679) was disclosed. The vulnerability resides in a debug API endpoint that bypasses authentication, allowing crafted RPC calls to execute arbitrary system commands. Such design oversights are especially perilous in enterprise platforms that integrate document management, HR, and workflow automation, because a single compromised server can expose a broad swath of internal processes.

Threat‑intelligence firm Vega documented a concise attack window that started five days post‑patch and lasted about a week. Attackers first verified RCE capability by issuing ping commands from the Java process, then attempted PowerShell‑based payload downloads, which were blocked by endpoint defenses. Although they tried to deploy a malicious MSI installer, the effort failed, and the actors reverted to fileless PowerShell scripts for further reconnaissance. The rapid exploitation after a vendor update illustrates a common tactic: adversaries monitor vendor bulletins to strike before organizations apply fixes, leveraging the brief period of exposure.

The incident reinforces the imperative for organizations to adopt a disciplined patch‑management lifecycle. Immediate application of security updates, combined with network segmentation and strict monitoring of privileged API endpoints, can mitigate similar threats. For Weaver E‑cology users, upgrading to build 20260312— which removes the vulnerable debug endpoint— is the sole remediation. More broadly, the case serves as a cautionary tale for enterprises worldwide: even critical patches can become attack vectors if not deployed swiftly, emphasizing the need for automated, tested, and rapid update pipelines to safeguard core business operations.