CVE-2026-22679: A 9.8 CVSS Zero-Day Exploited in Weaver E-cology
Security researchers have uncovered a highly sophisticated exploitation campaign targeting Weaver (Fanwei) E-cology, an enterprise office automation suite. This isn’t just a theoretical vulnerability; real-world intrusion activity was traced back to mid-March 2026, predating public disclosure by several weeks. This “zero-day” window allowed threat actors to establish a foothold in enterprise environments before most defenders were even aware of the threat.
Tracked as CVE-2026-22679, the flaw carries a critical CVSS score of 9.8. The severity stems from its nature as an unauthenticated, remote code execution (RCE) primitive, allowing an attacker to achieve full OS-level compromise on the host server without needing a single set of credentials.
Technical Breakdown: The Dubbo RPC Exploit
The vulnerability exists in Weaver E-cology 10.0 (builds prior to 20260312). The root cause is an exposed, unauthenticated debug endpoint located at: POST /papi/esearch/data/devops/dubboApi/debug/method.
The technical breakdown of the flaw is as follows:
- Insecure Deserialization/Logic: The endpoint accepts JSON parameters, specifically
interfaceNameandmethodName. - Lack of Input Validation: These parameters are passed directly into the Dubbo RPC invoker. Because the endpoint lacks strict input validation or authentication checks, the Dubbo framework can be coerced into routing these inputs to sensitive internal classes.
- The Payload: By supplying
interfaceName: “com.weaver.rpc.InvokeCommand”andmethodName: “executeCommand”, an attacker can leverage the application’s own internal helpers to run arbitrary OS commands via the Tomcat-bundled Java Virtual Machine (JVM).
While the vendor addressed this by removing the debug endpoint entirely in the March 12 patch, the Vega Threat Research team identified that exploitation was already well underway before the public caught up.
Anatomy of a Breach: Four Phases of Intrusion
By analyzing EDR (Endpoint Detection and Response) telemetry from a compromised Windows-based Weaver deployment, we can reconstruct a week-long, structured intrusion campaign. A defining characteristic of this attack is that every malicious process originated from java.exe, confirming that the Weaver JVM was the primary vehicle for all post-exploitation activity.
Phase 1: Reconnaissance & Verification (March 17)
The operator began by verifying the RCE primitive. They executed ping.exe calls to 152.32.173[.]138, which is linked to the Goby attack-surface mapping framework. Because the vulnerable debug endpoint returns command stdout in the HTTP response, the attacker could confirm successful execution in real-time without needing a persistent reverse shell.
Phase 2: Payload Probing (March 20–22)
The attacker attempted to pull executable payloads using various PowerShell “download cradles.” These included attempts to fetch vsgbt.exe, hjchhb.exe, and nvm.exe. One notable attempt involved Base64-encoded PowerShell commands designed to mask the payload as the legitimate Node Version Manager (nvm.exe) to bypass casual inspection.
Phase 3: The MSI Pivot (March 24)
Switching tactics, the attacker attempted to deploy a Windows Installer package named fanwei0324.msi. The naming convention suggests a structured approach, likely used by the actor to track specific victim iterations. While msiexec.exe was successfully triggered, the installation failed, potentially due to a malformed package structure.
Phase 4: Fileless Evasion & Script Execution (March 24)
Realizing the MSI approach was unsuccessful, the actor shifted to highly evasive, fileless techniques. To bypass process-name-based monitoring, they copied powershell.exe to a file named 2.txt. They then utilized obfuscated PowerShell scripts—employing character arrays and randomized casing—to execute DownloadString and IEX (Invoke-Expression) commands. This allowed them to run remote scripts (xx.ps1, x.ps1) entirely in memory, leaving minimal forensic footprints on the physical disk.
Immediate Remediation & Defense Strategy
If your organization utilizes Weaver E-cology, we recommend the following defensive posture immediately:
- Patch Deployment: Upgrade to Weaver E-cology build 20260312 or later immediately. This is the only definitive way to remove the vulnerable endpoint.
- Behavioral Hunting: Audit your process trees. Any instance of
java.exespawningcmd.exe,powershell.exe, orping.exeshould be treated as a high-fidelity indicator of compromise (IOC). - Egress Filtering: Monitor and restrict outbound connections from your OA (Office Automation) servers. Specifically, look for unauthorized PowerShell web requests or connections to known Goby infrastructure.
- Advanced EDR Tuning: Configure your EDR to alert on common fileless execution patterns, such as
IEX/DownloadStringusage, renamed PowerShell binaries, and heavily encoded command-line arguments.
Threat Intelligence: Indicators of Compromise (IOCs)
Note: IP addresses and domains are defanged to prevent accidental interaction. Please re-fang these within your SIEM, MISP, or VirusTotal environments.
Network Indicators (IPs)
| IP Address | Observed Role |
|---|---|
205.209.116[.]54 |
Payload hosting (vsgbt.exe, hjchhb.exe) |
161.132.49[.]114 |
Payload hosting (config.js / nvm.exe) |
141.11.89[.]42 |
MSI payload hosting (fanwei0324.msi) |
132.243.172[.]2 |
PowerShell script hosting (xx.ps1, x.ps1) |
152.32.173[.]138 |
Goby callback infrastructure |
Network Indicators (URLs)
http://205.209.116[.]54:2013/vsgbt.exehttp://205.209.116[.]54:2013/hjchhb.exehttp://161.132.49[.]114/config.jshttp://141.11.89[.]42/fanwei0324.msihttp://132.243.172[.]2/config/xx.ps1http://132.243.172[.]2/w-2026/x.ps1http://152.32.173[.]138/U.
File Indicators (Hashes)
| Filename | SHA256 Hash |
|---|---|
| fanwei0324.msi | 147ac3f24b2b63544d65070007888195a98d30e380f2d480edffb3f07a78377f |