VYPR
patchPublished May 5, 2026· Updated May 17, 2026· 1 source

Critical MetInfo CMS Vulnerability Under Active Exploitation

A critical code injection vulnerability in MetInfo CMS is being actively exploited in the wild, allowing unauthenticated attackers to achieve remote code execution on vulnerable servers.

Threat actors are actively exploiting a critical code injection vulnerability in the MetInfo content management system (CMS), allowing unauthenticated remote attackers to gain full control over affected servers The Hacker News. The flaw, tracked as CVE-2026-29014, carries a critical CVSS score of 9.8 and impacts MetInfo CMS versions 7.9, 8.0, and 8.1 The Hacker News.

The vulnerability originates from insufficient input neutralization within the /app/system/weixin/include/class/weixinreply.class.php script The Hacker News. According to security researcher Egidio Romano, who discovered the flaw, the issue stems from a failure to adequately sanitize user-supplied input when the system processes Weixin (WeChat) API requests The Hacker News. By sending crafted requests containing malicious PHP code, an attacker can trigger arbitrary code execution on the underlying server The Hacker News.

For successful exploitation on non-Windows servers, the /cache/weixin/ directory must exist, which is typically created during the installation and configuration of the official WeChat plugin The Hacker News. Once this prerequisite is met, the lack of input sanitization allows remote, unauthenticated actors to bypass security controls and execute arbitrary code The Hacker News.

The impact of this vulnerability is significant, with approximately 2,000 instances of MetInfo CMS currently exposed online, the majority of which are located in China The Hacker News. While exploitation attempts were initially sparse and limited to automated probing of honeypots in the U.S. and Singapore starting April 25, 2026, activity surged significantly on May 1, 2026, with a primary focus on IP addresses in China and Hong Kong The Hacker News.

MetInfo released patches to address CVE-2026-29014 on April 7, 2026 The Hacker News. Organizations utilizing the affected versions of the CMS are urged to apply these updates immediately to mitigate the risk of remote code execution. No further workarounds have been detailed, making the official vendor patch the primary defense against ongoing exploitation attempts The Hacker News.

The rapid transition from initial discovery to active exploitation highlights the persistent threat posed by unpatched vulnerabilities in widely used CMS platforms. As threat actors continue to weaponize such flaws shortly after disclosure, the incident underscores the necessity for rapid patch management cycles. Security teams should monitor for unauthorized access attempts and ensure that all internet-facing CMS instances are running the latest, secured versions to prevent compromise The Hacker News.

Synthesized by Vypr AI
Critical MetInfo CMS Vulnerability Under Active Exploitation · VYPR