MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks

Source: The Hacker News

Vulnerability Overview

• CVE ID: CVE-2026-29014
• CVSS Score: 9.8 (Critical)
• Type: Unauthenticated PHP code injection → Remote Code Execution (RCE)
• Affected Software: MetInfo CMS 7.9, 8.0, 8.1 (open‑source)

The NIST National Vulnerability Database notes that the flaw stems from insufficient input neutralization, allowing attackers to achieve remote code execution and gain full control over the affected server.

Technical Details

Affected Component

The vulnerability originates in the file:

/app/system/weixin/include/class/weixinreply.class.php

The script fails to properly sanitize user‑supplied input when constructing Weixin (WeChat) API requests.

Exploitation Prerequisites

• The target must be running MetInfo on a non‑Windows server.
• The directory /cache/weixin/ must exist. This directory is created during the installation and configuration of the official WeChat plugin.

When these conditions are met, an unauthenticated attacker can inject arbitrary PHP code via crafted HTTP requests.

Exploitation Activity

• Initial public disclosure: April 7 2026 (patch released by MetInfo).
• First observed exploitation: April 25 2026, with a limited number of exploits targeting honeypots in the United States and Singapore.
• Activity surge: May 1 2026, focusing on IP addresses in China and Hong Kong.
• Scope: Approximately 2,000 publicly accessible MetInfo installations, the majority located in China.

Mitigation and Patches

MetInfo issued a security update on April 7 2026 that addresses CVE‑2026‑29014. Administrators should:

1. Apply the official patch from the MetInfo website: .
2. Verify the existence of the /cache/weixin/ directory and remove it if the WeChat plugin is not required.
3. Restrict access to the vulnerable endpoint (e.g., via a web application firewall) until the patch is applied.
4. Monitor logs for suspicious requests targeting weixinreply.class.php.

References

• NVD entry for CVE‑2026‑29014:
• Original discovery by Egidio Romano:
• MetInfo security advisory (patch release):
• Commentary from Caitlin Condon, VulnCheck: