Critical RCE Vulnerabilities in MetInfo and Weaver E-cology Under Active Exploitation
Threat actors are actively exploiting critical, unauthenticated remote code execution vulnerabilities in MetInfo CMS and Weaver E-cology, leading to potential full server compromise.
Threat actors are actively exploiting two critical-severity, unauthenticated remote code execution (RCE) vulnerabilities affecting MetInfo CMS and Weaver E-cology, according to reports from SecurityWeek. Both vulnerabilities allow attackers to gain full control over affected servers without requiring any prior authentication, posing a significant risk to organizations utilizing these platforms.
The vulnerability in MetInfo, tracked as CVE-2026-29014, carries a critical CVSS score of 9.8. This PHP code injection flaw stems from the application's failure to properly neutralize user-supplied input. By sending specifically crafted requests, attackers can inject and execute arbitrary PHP code on the server. According to SecurityWeek, while initial exploitation attempts were limited and likely automated, activity surged over the weekend, with a notable focus on deployments located in Singapore. There are approximately 2,000 instances of MetInfo CMS currently exposed to the internet, with the majority of these deployments concentrated in China SecurityWeek.
Separately, the Weaver E-cology platform is under attack due to a critical RCE vulnerability tracked as CVE-2026-22679, which holds a CVSS score of 9.3. This flaw exists because of exposed debug functionality that can be triggered via crafted POST requests to execute arbitrary commands. SecurityWeek reports that attackers began probing this vulnerability using ping callbacks less than a week after patches were released on March 12.
The exploitation pattern for Weaver E-cology is distinct, as attackers do not necessarily require a persistent shell. Instead, they leverage the debug endpoint itself as a functional shell, utilizing strict request/response semantics to execute discovery commands and deliver payloads concurrently SecurityWeek. This method allows attackers to maintain control and perform reconnaissance through the same endpoint used for initial exploitation.
Patches for the Weaver E-cology vulnerability have been available since March 12, and users are urged to apply them immediately to prevent unauthorized access. For MetInfo, the vulnerability was disclosed in early April, and organizations should ensure they are running the latest, patched versions of the software to mitigate the risk of RCE.
The active exploitation of these two platforms highlights a broader trend where threat actors rapidly weaponize vulnerabilities in enterprise content management and office automation software. Because these systems often hold sensitive organizational data and provide broad network access, they remain high-value targets for attackers seeking to establish a foothold in corporate environments. Organizations should prioritize patching these specific flaws and monitor their infrastructure for signs of unauthorized access or unusual POST requests directed at debug or input-handling endpoints.