MetInfo CMS CVE-2026-29014 Actively Exploited for Remote Code Execution

TL;DR — A critical unauthenticated code injection vulnerability (CVE-2026-29014, CVSS 9.8) in MetInfo CMS versions 7.9, 8.0, and 8.1 is under active exploitation. Threat actors began probing honeypots on April 25, 2026, with exploitation activity surging toward China and Hong Kong on May 1. Patches were released April 7; immediate patching is essential for any MetInfo deployment.

What happened

On April 7, 2026, MetInfo released security patches for CVE-2026-29014, a PHP code injection vulnerability in the Weixin (WeChat) API request handler. Security researcher Egidio Romano discovered the flaw in the /app/system/weixin/include/class/weixinreply.class.php script, where insufficient input sanitization allows remote attackers to send crafted requests containing malicious PHP code.

The vulnerability requires no authentication. On non-Windows servers, exploitation also depends on the /cache/weixin/ directory existing beforehand—a directory created when administrators install and configure the official WeChat plugin.

VulnCheck began observing exploitation attempts on April 25, 2026, detecting what it characterized as a "small number of exploits" deployed against honeypots in the U.S. and Singapore. These initial efforts were sparse and associated with automated probing. However, on May 1, 2026, exploitation activity intensified sharply, with attackers shifting focus toward targets in China and Hong Kong, according to Caitlin Condon, vice president of security research at VulnCheck.

Approximately 2,000 instances of MetInfo CMS are accessible online, with the majority located in China.

Why it matters

CVE-2026-29014 grants unauthenticated attackers the ability to execute arbitrary PHP code and gain full control over the compromised server. An attacker who reaches an unpatched MetInfo instance can read sensitive files, modify website content, install backdoors, or pivot into the wider network.

The shift in exploitation activity from sparse, automated honeypot probing to a concentrated wave targeting China and Hong Kong on May 1 suggests that threat actors have moved from reconnaissance to targeted deployment. The geographic shift indicates either organized activity or coordination among multiple threat groups focused on that region.

For defenders operating MetInfo deployments in the MENA region or globally, the 18-day window between patch release (April 7) and intensive exploitation (May 1) underscores how quickly vulnerabilities transition from disclosure to active weaponization. Organizations running MetInfo must assume adversaries are actively scanning for unpatched instances.

Affected systems and CVEs

MetInfo CMS 7.9 — CVE-2026-29014
MetInfo CMS 8.0 — CVE-2026-29014
MetInfo CMS 8.1 — CVE-2026-29014

CVE-2026-29014: Code injection in Weixin API handler, CVSS 9.8

What to do

Apply the security patches released by MetInfo on April 7, 2026, immediately to all affected versions.
If WeChat plugin functionality is not required, consider removing or disabling the Weixin integration to eliminate the attack surface.
Monitor server logs and access patterns for POST requests to /app/system/weixin/ endpoints, particularly those containing PHP code or encoded payloads.
On non-Windows deployments, verify the ownership and permissions of the /cache/weixin/ directory; restrict write access to the web server process.
Conduct a baseline inventory of all MetInfo CMS instances in your infrastructure and confirm patch status.

Open questions

The advisory does not specify whether patches address all code injection attack vectors or solely the Weixin API injection path identified by Romano.
Current patch adoption rate among MetInfo users remains unknown.
The identity and motivation of the threat actors conducting exploitation have not been disclosed.
It is unclear whether exploitation has progressed beyond automated honeypot probing to compromise actual production systems.
The advisory does not clarify whether exploitation activity outside China and Hong Kong has occurred after May 1, 2026.
It remains unknown whether Windows server deployments face alternative exploitation paths not dependent on the /cache/weixin/ directory.