MetInfo, Weaver E-cology Vulnerabilities in Attackers’ Crosshairs

Weaver E-cology, which is also predominantly used in China, is an office automation and collaboration solution that enables organizations to manage portals, workflows, knowledge, projects, clients, assets, communications, and more.The exploited bug, tracked as CVE-2026-22679 (CVSS score of 9.3), exists because exposed debug functionality can be invoked via crafted POST requests to execute arbitrary commands.Patches for the unauthenticated RCE weakness were released on March 12, and the first exploitation attempts were observed less than a week later, Vegareports.As part of the observed activity, the attackers probed the vulnerability via ping callbacks, then attempted to deliver various payloads. Ultimately, the attackers executed discovery commands, using the exposed debug endpoint as a shell.“The operator never needed a persistent shell: the debug endpoint is the shell, with strict request/response semantics. This is also why payload delivery and discovery could happen concurrently: both are different POST bodies to the same endpoint,” Vega notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Over 40,000 Servers Compromised in Ongoing cPanel ExploitationRelated:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure

The exploited bug, tracked as CVE-2026-22679 (CVSS score of 9.3), exists because exposed debug functionality can be invoked via crafted POST requests to execute arbitrary commands.Patches for the unauthenticated RCE weakness were released on March 12, and the first exploitation attempts were observed less than a week later, Vegareports.As part of the observed activity, the attackers probed the vulnerability via ping callbacks, then attempted to deliver various payloads. Ultimately, the attackers executed discovery commands, using the exposed debug endpoint as a shell.“The operator never needed a persistent shell: the debug endpoint is the shell, with strict request/response semantics. This is also why payload delivery and discovery could happen concurrently: both are different POST bodies to the same endpoint,” Vega notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Over 40,000 Servers Compromised in Ongoing cPanel ExploitationRelated:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure

Patches for the unauthenticated RCE weakness were released on March 12, and the first exploitation attempts were observed less than a week later, Vegareports.As part of the observed activity, the attackers probed the vulnerability via ping callbacks, then attempted to deliver various payloads. Ultimately, the attackers executed discovery commands, using the exposed debug endpoint as a shell.“The operator never needed a persistent shell: the debug endpoint is the shell, with strict request/response semantics. This is also why payload delivery and discovery could happen concurrently: both are different POST bodies to the same endpoint,” Vega notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Over 40,000 Servers Compromised in Ongoing cPanel ExploitationRelated:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure

As part of the observed activity, the attackers probed the vulnerability via ping callbacks, then attempted to deliver various payloads. Ultimately, the attackers executed discovery commands, using the exposed debug endpoint as a shell.“The operator never needed a persistent shell: the debug endpoint is the shell, with strict request/response semantics. This is also why payload delivery and discovery could happen concurrently: both are different POST bodies to the same endpoint,” Vega notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Over 40,000 Servers Compromised in Ongoing cPanel ExploitationRelated:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure

“The operator never needed a persistent shell: the debug endpoint is the shell, with strict request/response semantics. This is also why payload delivery and discovery could happen concurrently: both are different POST bodies to the same endpoint,” Vega notes.Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Over 40,000 Servers Compromised in Ongoing cPanel ExploitationRelated:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure

Related:Exploitation of ‘Copy Fail’ Linux Vulnerability BeginsRelated:Over 40,000 Servers Compromised in Ongoing cPanel ExploitationRelated:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure

Related:Over 40,000 Servers Compromised in Ongoing cPanel ExploitationRelated:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure

Related:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure

Related:Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure

Ionut Arghire is an international correspondent for SecurityWeek.

Source: SecurityWeek