“the attacker copied powershell. exe to 2. txt to evade process - name - based detections, then issued obfuscated powershell commands using character arrays and case randomization. these commands attempted to fetch and execute remote scripts ( xx. ps1, x. ps1 ) from 132. 243. 172 …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
79%
“critical weaver e - cology rce exploit raises alarm for enterprise systems a critical unauthenticated remote code execution vulnerability in weaver ( fanwei ) e - cology is being actively exploited in the wild, with real - world intrusion activity traced back to mid - march 2026,…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
77%
“framework. the debug endpoint reflects command stdout in the http response body, enabling the attacker to verify execution without a persistent shell. phase 2 – payload delivery attempts ( march 20 – 22 ) : three powershell download cradles attempted to fetch executable payloads …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
75%
“##aries, encoded command execution, and downloadstring - based fileless loaders. the campaign underscores a recurring challenge, patches ship, but unpatched enterprise systems remain reachable long enough for threat actors to operationalize exploits within days of disclosure. ioc…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
70%
“. rpc. invokecommand ” and methodname : “ executecommand ”, achieving host - level shell execution through the application ’ s own tomcat - bundled java virtual machine. the vendor patched the flaw on march 12, 2026, by removing the debug endpoint entirely. despite this, the shad…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.002Compromise Software Supply Chain
51%
“framework. the debug endpoint reflects command stdout in the http response body, enabling the attacker to verify execution without a persistent shell. phase 2 – payload delivery attempts ( march 20 – 22 ) : three powershell download cradles attempted to fetch executable payloads …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1218.007Msiexec
43%
“framework. the debug endpoint reflects command stdout in the http response body, enabling the attacker to verify execution without a persistent shell. phase 2 – payload delivery attempts ( march 20 – 22 ) : three powershell download cradles attempted to fetch executable payloads …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
A critical unauthenticated remote code execution vulnerability in Weaver (Fanwei) E-cology is being actively exploited in the wild, with real-world intrusion activity traced back to mid-March 2026, weeks before public awareness. Tracked as CVE-2026-22679 with a CVSS score of 9.8, this flaw exposes enterprise office automation systems to full OS-level compromise without requiring any authentication. Vulnerability Overview CVE-2026-22679 […]