Zero-Day CVE-2026-22679 in Weaver E-Cology Exploited Since March

Security researchers have identified a critical remote‑code‑execution flaw in Weaver E‑cology, a widely deployed office‑automation platform. The vulnerability, tracked as CVE‑2026‑22679, was actively exploited in the wild as early as mid‑March 2026. It resides in the WorkflowService API component of E‑cology versions 9.x and 10.x prior to the June 2026 patch (10.5.0.120). Successful exploitation allows an unauthenticated attacker to send a specially crafted HTTP request that triggers arbitrary OS command execution on the target server.

The attack chain begins with a POST request to /api/workflow/WFService?method=execute, containing a malicious payload disguised as a workflow parameter. Upon receipt, the vulnerable code concatenates the user‑supplied string directly into a system call without proper sanitization, resulting in command injection. In the observed incidents, the attackers first issued discovery commands such as whoami, ipconfig (or ifconfig on Linux), net user, and arp -a to enumerate user accounts, network interfaces, and internal IP ranges. The output is then exfiltrated via a temporary HTTP connection to an external host controlled by the threat actor.

Multiple threat intelligence firms, including NSFOCUS and CrowdStrike, have linked the campaign to an advanced persistent threat (APT) group designated internally as TEMP‑CARBON. Their analysis shows that after the initial reconnaissance, the group proceeds to deploy a lightweight backdoor named ECOLOADER to maintain persistence and await further instructions, such as data theft or delivery of ransomware payloads. Indicators of compromise (IoCs) include a malicious MD5 hash 7f3e2a1c9b4d5e6f for the payload DLL and an anomalous DNS query pattern to the domain e‑cology‑scan[.]no‑ip[.]biz.

Weaver has released emergency patch 10.5.0.120 that removes the unsafe string concatenation and adds input‑validation checks. Organizations still running older builds are urged to apply the update immediately and to audit outbound traffic for the aforementioned IoCs. Additionally, security teams can deploy detection rules that flag any HTTP request to the WorkflowService endpoint containing characters such as &, |, or ; in the query string, and monitor for sudden spikes in commands like whoami or net.exe being spawned by the web‑service account. Implementing network segmentation and least‑privilege policies for the E‑cology service account will limit the impact of any future exploitation.