Attackers Actively Exploit Critical RCE Flaw (CVE-2026-29014) in MetInfo CMS

Executive Summary

A critical remote code execution (RCE) vulnerability in the MetInfo content management system (CMS), tracked as CVE-2026-29014, is under active and widespread exploitation. The vulnerability, rated 9.8 on the CVSS scale, allows an unauthenticated attacker to inject and execute arbitrary PHP code, leading to complete server takeover. The flaw affects MetInfo versions 7.9, 8.0, and 8.1. Although patches were released on April 7, 2026, exploitation began as early as April 25 and escalated significantly around May 1, 2026. Publicly available exploit code has fueled these attacks, which are predominantly targeting systems in China and Hong Kong. Organizations using vulnerable versions of MetInfo CMS are urged to apply the available patches immediately to prevent compromise.

Vulnerability Details

• CVE ID: CVE-2026-29014
• CVSS Score: 9.8 (Critical)
• Affected Versions: MetInfo CMS 7.9, 8.0, 8.1
• Vulnerability Type: Unauthenticated PHP Code Injection

The vulnerability exists in the /app/system/weixin/include/class/weixinreply.class.php script, which is part of the CMS's integration with the WeChat (Weixin) social media platform. The script fails to properly sanitize user-supplied input when processing API requests. This allows a remote attacker to craft a special request containing malicious PHP code. When the server processes this request, the injected code is executed with the privileges of the web server process.

A key prerequisite for successful exploitation on non-Windows servers is the existence of the /cache/weixin/ directory. This directory is created automatically when the official WeChat plugin is installed, making most installations with this feature enabled vulnerable.

Exploitation Status

• Patch Release: April 7, 2026
• Initial Exploitation: Observed as early as April 25, 2026, with probing attacks against honeypots.
• Mass Exploitation: A significant surge in exploitation activity began on May 1, 2026.
• Targets: While global, the majority of attacks have been directed at IP addresses in China and Hong Kong, where the CMS is most popular.
• Public Exploit: Proof-of-concept (PoC) exploit code is publicly available, lowering the barrier for attackers.

There are an estimated 2,000 MetInfo CMS instances exposed to the internet, all of which are potential targets.

Impact Assessment

Successful exploitation of CVE-2026-29014 grants an attacker full control over the underlying server. The potential impact includes:

• Complete Server Compromise: Attackers can execute any command, read, write, or delete any file on the server.
• Data Theft: Sensitive information stored on the server, including database contents, user credentials, and personal data, can be stolen.
• Website Defacement: Attackers can alter the content of the website hosted on the server.
• Malware Hosting: The compromised server can be used to host and distribute malware, phishing pages, or act as a C2 server for other attacks.
• Lateral Movement: The server can be used as a pivot point to attack other systems within the same network.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Detection Methods

1. Log Analysis: Scrutinize web server access logs for requests to weixinreply.class.php. Look for anomalous POST requests, especially those with payloads containing PHP functions like system(), eval(), shell_exec(), or base64_decode().
2. File Integrity Monitoring (FIM): Monitor for the creation of unexpected files (e.g., web shells) in web-accessible directories. A common indicator of compromise is a new PHP file appearing in directories like /, /tmp/, or the web root.
3. Vulnerability Scanning: Use a vulnerability scanner updated with a plugin for CVE-2026-29014 to identify vulnerable MetInfo instances in your environment.
4. Network Intrusion Detection System (NIDS): Deploy NIDS signatures that can detect the specific patterns of the exploit request in network traffic.

Remediation Steps

1. Patch Immediately: The primary remediation is to update to a patched version of MetInfo CMS. The vendor released patches on April 7, 2026. Organizations should upgrade to version 8.2 or later.
2. Assume Compromise: If you are running a vulnerable version, assume the system has been compromised. Isolate the server and conduct a thorough investigation for backdoors, web shells, and other malicious artifacts before bringing it back online.
3. Virtual Patching: If immediate patching is not possible, use a Web Application Firewall (WAF) to create a rule that blocks requests to the vulnerable weixinreply.class.php script. This should be considered a temporary mitigation.
4. Remove Unused Plugins: If the WeChat plugin is not in use, disabling or removing it can mitigate this specific vulnerability by removing the prerequisite /cache/weixin/ directory and the vulnerable script.