Threat actors are actively exploiting a critical security flaw in the open-source MetInfo content management system (CMS), allowing for widespread unauthorized access. The vulnerability, identified as CVE-2026-29014, poses a significant risk to websites running on affected versions of the popular platform.
This critical security flaw, with a CVSS score of 9.8, enables arbitrary code execution, meaning attackers can run any command they wish on a compromised server. The exploitation of this MetInfo CMS vulnerability has been confirmed by security researchers, highlighting the urgent need for users to update their systems.
MetInfo CMS Targeted by Active Exploitation of Critical Flaw
New findings from VulnCheck reveal that a severe security vulnerability impacting the MetInfo content management system is now being actively exploited by malicious actors. The flaw, officially designated CVE-2026-29014, is a critical PHP code injection vulnerability that, according to the NIST National Vulnerability Database (NVD), allows remote attackers to execute arbitrary code.
The NVD further specifies that “MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability.” This means attackers do not need any prior authentication to exploit the system. They can achieve remote code execution by sending specially crafted requests containing malicious PHP code, potentially gaining full control over the affected server.
Technical Details of the Code Injection Vulnerability
Security researcher Egidio Romano identified the root cause of the vulnerability within the “/app/system/weixin/include/class/weixinreply.class.php” script. The issue stems from insufficient sanitization of user-supplied input when the system processes Weixin (also known as WeChat) API requests.
This lack of adequate input validation allows remote, unauthenticated attackers to inject and execute arbitrary PHP code. For successful exploitation on non-Windows servers, a key prerequisite is the prior existence of the “/cache/weixin/” directory. This directory is typically created during the installation and configuration of the official WeChat plugin for MetInfo.
Timeline of Exploitation and Geographical Focus
MetInfo released patches for CVE-2026-29014 on April 7, 2026. Despite the availability of fixes, exploitation began quickly, with activity observed as early as April 25, 2026. Initial exploit attempts were reportedly sparse, targeting susceptible honeypots in the United States and Singapore.
However, the nature and intensity of these attacks have shifted. Caitlin Condon, vice president of security research at VulnCheck, noted a significant surge in exploitation activity starting on May 1, 2026. This escalated activity has shown a particular focus on IP addresses originating from China and Hong Kong.
The widespread use of MetInfo CMS, particularly in China, exacerbates the potential impact of this vulnerability. Current estimations indicate that as many as 2,000 instances of MetInfo CMS are accessible online. This large attack surface means a significant number of websites remain vulnerable if not updated, presenting a substantial risk of compromise and data breaches.
Implications and Next Steps for Users
The active exploitation of CVE-2026-29014 underscores the ongoing threat landscape for web applications and content management systems. The unauthenticated nature of this vulnerability makes it particularly attractive to attackers seeking to compromise websites with minimal effort.
Website administrators and users of MetInfo CMS, especially versions 7.9, 8.0, and 8.1, are strongly urged to apply the available security patches immediately. Failure to do so leaves them exposed to potential code injection attacks, which can lead to severe consequences including website defacement, data theft, or the use of compromised servers for further malicious activities. Vigilance in monitoring network traffic for suspicious activity is also recommended.
The ongoing exploitation suggests that attackers will continue to probe for vulnerable MetInfo installations. Users should remain informed about any further security advisories from MetInfo or cybersecurity researchers. The future focus of exploits and the discovery of new attack vectors remain key areas to monitor in the coming weeks and months.