In recent developments, cybercriminals have been targeting a significant security vulnerability in MetInfo CMS, an open-source content management system, according to VulnCheck’s latest research. This critical flaw, identified as CVE-2026-29014 with a high CVSS score of 9.8, allows for code injection, leading to unauthorized code execution.
Understanding the Vulnerability
The CVE-2026-29014 flaw is a PHP code injection vulnerability present in MetInfo CMS versions 7.9, 8.0, and 8.1. This security gap enables remote attackers to execute arbitrary code by sending specially crafted requests containing malicious PHP code, as highlighted by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).
The vulnerability arises due to inadequate input neutralization in the execution path, which can provide attackers full control over the compromised server. Security researcher Egidio Romano, who identified the flaw, pinpointed its origin to a script located in “/app/system/weixin/include/class/weixinreply.class.php” that fails to properly sanitize user inputs during Weixin (also known as WeChat) API requests.
Exploitation and Impact
This vulnerability allows remote, unauthenticated attackers to inject and run arbitrary PHP code, particularly when certain conditions are met. For instance, on non-Windows servers running MetInfo, the “/cache/weixin/” directory must exist for successful exploitation. This directory is automatically created during the installation and configuration of the official WeChat plugin.
The exploitation of CVE-2026-29014 began after MetInfo released patches on April 7, 2026. Since April 25, there have been reports of targeted attacks on vulnerable systems, particularly against honeypots in the U.S. and Singapore. Initially, these attacks were limited and involved automated probing, but activity escalated significantly on May 1, 2026, especially targeting IP addresses in China and Hong Kong.
Current and Future Outlook
The surge in exploitation attempts highlights the urgent need for organizations using MetInfo CMS to apply the security patches released by MetInfo promptly. With approximately 2,000 MetInfo CMS instances publicly accessible online, primarily in China, the risk of widespread exploitation remains high.
Moving forward, it is crucial for developers and administrators to ensure proper input sanitization and to stay updated with the latest security patches to safeguard against such vulnerabilities. As attackers continue to evolve their tactics, proactive security measures and continuous monitoring will be essential in mitigating potential threats.
