Full Report
Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, according to new findings from VulnCheck. The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution. "MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code
Analysis Summary
# Vulnerability: MetInfo CMS Unauthenticated Remote Code Execution
## CVE Details
- **CVE ID**: CVE-2026-29014
- **CVSS Score**: 9.8 (Critical)
- **CWE**: CWE-94 (Improper Control of Generation of Code / Code Injection)
## Affected Systems
- **Products**: MetInfo CMS
- **Versions**: 7.9, 8.0, and 8.1
- **Configurations**:
- Vulnerability resides in the WeChat (Weixin) integration.
- **Non-Windows Servers**: Exploitation requires the existence of the `/cache/weixin/` directory (typically created during the installation/configuration of the official WeChat plugin).
## Vulnerability Description
CVE-2026-29014 is an unauthenticated PHP code injection vulnerability located in the `/app/system/weixin/include/class/weixinreply.class.php` script. The flaw stems from insufficient sanitization of user-supplied input when the CMS issues Weixin (WeChat) API requests. Attackers can exploit this lack of input neutralization to inject malicious PHP code into the execution path, leading to arbitrary code execution.
## Exploitation
- **Status**: Exploited in the wild. Initial automated probing was detected around April 25, 2026, with a significant surge in active exploitation targeting IPs in China and Hong Kong starting May 1, 2026.
- **Complexity**: Low
- **Attack Vector**: Network (Remote)
## Impact
- **Confidentiality**: Total (Full access to server data)
- **Integrity**: Total (Full control over the affected server and software)
- **Availability**: Total (Ability to disrupt services or delete data)
## Remediation
### Patches
- MetInfo released official patches on **April 7, 2026**. Users should update their CMS installations to the latest version via the official [metinfo.cn](https://www.metinfo.cn/news/2875.html) portal.
### Workarounds
- If immediate patching is not possible, consider disabling the WeChat plugin or restricting access to the `/app/system/weixin/` directory.
- For non-Windows environments, removing the `/cache/weixin/` directory may neutralize the current known exploitation path.
## Detection
- **Indicators of Compromise**:
- Unexpected PHP files or modified code within the `/app/system/weixin/` or `/cache/weixin/` directories.
- Unusual outbound network traffic to WeChat API endpoints.
- Web server logs showing suspicious crafted requests targeting `weixinreply.class.php`.
- **Detection methods and tools**: Monitor for unauthorized file system changes and use Web Application Firewalls (WAF) to filter for PHP injection patterns in requests directed at the MetInfo WeChat components.
## References
- Vendor Advisory: hxxps[://]www[.]metinfo[.]cn/news/2875[.]html
- Researcher Disclosure: hxxps[://]karmainsecurity[.]com/KIS-2026-06
- NVD Entry: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-29014
- Threat Analysis: hxxps[://]thehackernews[.]com/2026/05/metinfo-cms-cve-2026-29014-exploited[.]html