Vulnerability Management , Patch/Configuration Management , Security Operations , SOC Critical 9.8 Weaver E-cology vulnerability actively exploited May 5, 2026 Share By Steve Zurier (Adobe Stock) A 9.8 critical bug in the Weaver E-cology 10.0 business process management app was actively exploited in the wild, letting attackers run remote code execution (RCE) by invoking an exposed debug functionality. Although the vast majority of Weaver E-cology’s 70,000 to 80,000 customers are in Asia, there are customers in the United States and security pros said the attacks demonstrate a much different threat vector than the standard attacks on firewalls and network management platforms. Noelle Murata, chief operating officer at Xcape, Inc., said the active exploitation of CVE-2026-22679 in Weaver E-cology marks a pivotal shift in the threat landscape: For years, the security industry has focused on the "front door" — firewalls, VPNs, and email gateways. But Murata said as those perimeters harden, adversaries are moving to the "soft center" — office automation (OA) and business process management (BPM) platforms. “The real danger here is the target’s location in the stack,” said Muarata. “Weaver E-cology isn't just a tool, it’s the nervous system of an enterprise. It handles internal workflows, document management, and sensitive HR approvals. By exploiting a Dubbo-based debug API, attackers aren't just getting a foothold, they are gaining unauthenticated, root-level control over the very system that manages the organization's internal secrets.” Murata added that while Weaver’s headquarters is in Shanghai, its U.S. footprint has become critical. Multinational firms in the logistics, manufacturing, and financial sectors use E-cology as the primary bridge for cross-border operations. “A compromise in a U.S. branch can serve as the ‘Patient Zero’ for a lateral move into the global corporate headquarters,” said Murata. Weaver issued a patch for E-cology 10.0 in March. Steve Zurier Related AI/ML NCSC warns AI accelerates vulnerability discovery, prompting urgent patch wave SC Staff May 5, 2026 The NCSC highlights that skilled attackers leveraging AI can identify software weaknesses at an unprecedented pace. Vulnerability Management Progress Software warns of critical MOVEit Automation vulnerability SC Staff May 5, 2026 The vulnerability, tracked as CVE-2026-4670, affects multiple versions of MOVEit Automation. Vulnerability Management CISA reportedly considers 3-day patch deadline for KEV flaws Laura French May 5, 2026 Officials are considering how AI tools like Claude Mythos could shorten exploit timelines, Reuters reports. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Blue Team Bug Buffer Overflow Cold Warm Hot Disaster Recovery Site Countermeasure Cron Daemon Disassembly Disaster Recovery Plan (DRP) You can skip this ad in 5 seconds