A critical unauthenticated RCE in Weaver E‑cology 10.0 (CVE‑2026‑22679) was actively exploited in mid‑ to late‑March 2026 after the vendor released a patch on March 12; endpoint defenses intervened and prevented persistent compromise, leaving timely patching as the primary remediation.

How the March exploitation sequence unfolded

The vendor released a patch on March 12, 2026; attackers began exploiting the exposed debug API within days, with the first public evidence appearing on March 31, 2026. The exploit targeted the debug endpoint at /papi/esearch/data/devops/dubboApi/debug/method and abused the interfaceName and methodName parameters to call internal command‑execution helpers without authentication.

All observed attack activity originated from the Weaver Tomcat JVM process, not from a separate foothold, and early reconnaissance used callbacks tied to the Goby scanning framework: probes produced reflected HTTP responses that served as verification of remote code execution rather than traditional ICMP pings.

Payloads, evasion tactics, and what defenses blocked

Recommended Reading

CVE-2025-53521: F5 BIG-IP APM reclassified as critical RCE — what distinguishes active exploitation from earlier DoS assessments

F5‘s BIG-IP Access Policy Manager vulnerability CVE-2025-53521—originally treated as a denial-of-service issue—was reclassified as an unauthenticated remote code execution (RCE) after March 2026 intelligence showed active exploitation. The change forced CISA into the Known Exploited Vulnerabilities (KEV) list and triggered federal patch mandates; organizations must treat this as an immediate compromise risk, not a mere […]

CVE-2025-53521: F5 BIG-IP APM reclassified as critical RCE — what distinguishes active exploitation from earlier DoS assessments

Attackers attempted multiple follow‑on payloads: PowerShell‑based executables (vsgbt.exe, hjchhb.exe), a disguised nvm.exe, and a target‑aware MSI named fanwei0324.msi (the MSI referenced the vendor and the March attack date). EDR systems quarantined or blocked these binaries, and investigators found the MSI failed to execute properly—likely a malformed package—so it never established a persistent installer.

When binary delivery failed, the attackers reverted to fileless approaches: they copied the legitimate powershell.exe to a renamed file (2.txt) and ran obfuscated PowerShell that repeatedly fetched remote scripts. Those fileless runs were detected and prevented; no persistent shell, no lateral movement, and no successful data exfiltration were observed. The flaw’s CVSS ranged from 9.3 to 9.8, and because the debug API required no authentication, remote exploitation needed only network reachability to the affected Weaver instance.

Practical checkpoints, constraints, and what to watch next

If you ran Weaver E‑cology 10.0 before the March 12, 2026 patch, upgrade immediately—no alternative mitigations have been published and patching is the only confirmed fix. As an operational constraint, teams must also treat unauthenticated developer/debug endpoints as immediate high‑risk attack surfaces: restrict /papi/ access with VPNs or IP allowlists and enforce input validation where possible.

Hunt items and short‑term detection priorities: search logs for POST requests to /papi/esearch/data/devops/dubboApi/debug/method, look for HTTP response reflections tied to unknown callbacks (Goby indicators), check EDR quarantines for the specific filenames vsgbt.exe, hjchhb.exe, nvm.exe and fanwei0324.msi, and flag processes launched as 2.txt or anomalous child processes spawned by the Tomcat JVM. The next checkpoint for defenders is whether other enterprise platforms expose unauthenticated debug APIs and how quickly vendors issue patches and access restrictions.

Quick Q&A

Q: Is patching alone sufficient? A: For this vulnerability, yes—install the March 12 patch; layered defenses helped after exploitation began but did not replace the patch.

Q: What short‑term indicators should I prioritize? A: POSTs to the debug endpoint, HTTP callbacks consistent with Goby scanning, renamed PowerShell processes (2.txt), and failed MSI install attempts like fanwei0324.msi.

Q: What longer‑term change should teams make? A: Audit all developer/debug endpoints for authentication and exposure, and add endpoint/process telemetry checks that correlate JVM activity to unusual child processes or network callbacks.