Weaver E-cology Critical Bug Exploited in Attacks Since March

/HIGH
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-inteldata-breachmalwarevulnerabilitymicrosoft
Weaver E-cology Critical Bug Exploited in Attacks Since March

BleepingComputer reports that a critical vulnerability, CVE-2026-22679, in Weaver E-cology office automation software has been under active exploitation since mid-March. Attackers are leveraging this flaw to execute discovery commands on affected systems, indicating initial reconnaissance and potentially paving the way for deeper compromise.

Weaver E-cology is a widely used office automation platform, particularly prevalent in certain regions. The exploitation of this critical bug highlights a significant supply chain risk for organizations relying on this software. Attackers are clearly prioritizing initial access and internal network mapping, which is a precursor to data exfiltration, ransomware deployment, or long-term persistence.

This isn’t a theoretical threat; it’s a confirmed active campaign. Defenders need to recognize that once discovery commands run successfully, an attacker has a foothold and is actively understanding the target environment. The next steps are predictable: privilege escalation, lateral movement, and ultimately, objective fulfillment.

What This Means For You

  • If your organization uses Weaver E-cology office automation, immediately check for vendor advisories and available patches for CVE-2026-22679. Prioritize patching these systems. Additionally, audit your network logs for any unusual discovery commands or outbound connections originating from Weaver E-cology servers since early March. Assume compromise and hunt for post-exploitation activity.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1046 Network Service Scanning Discovery

πŸ›‘οΈ Detection Rules

3 rules Β· 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free β€” export to any SIEM format via the Intel Bot.

critical T1059 Execution

CVE-2026-22679 - Weaver E-cology Command Execution

Sigma YAML β€” free preview

Source: Shimi's Cyber World Β· License & reuse

βœ“ Sigma Β· Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM β†’

Indicators of Compromise

IDTypeIndicator
CVE-2026-22679 RCE Weaver E-cology office automation
CVE-2026-22679 Command Injection Ability to run discovery commands

Written by SCW Vulnerability Desk

Take action on this incident
πŸ“‘ Monitor weaver.com.cn Free Β· 1 watchlist slot Β· instant alerts on new breaches πŸ” Threat intel on Weaver All breaches, IOCs & vendor exposure

Related coverage on Weaver

cPanel Authentication Bypass Vulnerability Exploited in the Wild

A critical authentication-bypass vulnerability in cPanel has sparked a "cyber-frenzy," according to Dark Reading. The flaw, which allows attackers to bypass authentication, saw multiple proof-of-concept...

threat-inteltoolsvulnerabilityidentity
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs /⚙ 3 Sigma

Cisco Acquires Astrix Security to Secure Non-Human Identities

Cisco has announced its intent to acquire Astrix Security, a startup specializing in the security of non-human identities (NHIs). These include critical elements like API...

threat-intelvulnerabilityidentityai-security
/SCW Vulnerability Desk /MEDIUM

Phishing Campaign Leverages SimpleHelp, ScreenConnect RMM to Hit 80+ Orgs

An active phishing campaign, codenamed VENOMOUS#HELPER, has been observed since at least April 2025, according to The Hacker News. This operation targets organizations by leveraging...

threat-intelvulnerabilityphishingtoolsthe-hacker-news
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs