Emerging Threats

MetInfo CMS Flaw Exploited for Remote Code Execution Attacks

Analyst 207||Source: TheHackerNews
Laptop screen displays a content management system dashboard in a brightly-lit office setting.

CVE-2026-29014 (CVSS score: 9.8) is a critical, unauthenticated PHP code‑injection flaw in the MetInfo content management system that can allow remote attackers to execute arbitrary code, according to the NVD and new research from VulnCheck.

MetInfo Weixin integration: where the vulnerability lives

The National Vulnerability Database describes the issue bluntly: "MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code." The NVD further warns that "attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server."

Security researcher Egidio Romano, who found the flaw, traces the root cause to a single script: /app/system/weixin/include/class/weixinreply.class.php. Romantically simple in its phrasing, the technical reality is straightforward: the script fails to adequately sanitize user‑supplied input when making Weixin (WeChat) API requests, creating an execution path that accepts injected PHP.

Technical prerequisite: the /cache/weixin/ directory and the official WeChat plugin

Romano and the advisory material make one operational detail clear: on non‑Windows servers, exploitation requires that the /cache/weixin/ directory already exist. That directory is created when an administrator installs and configures MetInfo's official WeChat plugin. In practical terms, the presence of that directory — the byproduct of enabling Weixin integration — is a precondition for remote, unauthenticated code execution on affected versions.

Patch and exploitation timeline

MetInfo released patches for CVE‑2026‑29014 on April 7, 2026. Despite the availability of fixes, exploitation was observed within weeks: activity first appeared on April 25, 2026, when a "small number of exploits" were deployed against honeypots located in the United States and Singapore, according to VulnCheck.

Initial probing was sparse and largely automated, but VulnCheck recorded a marked escalation on May 1, 2026. Caitlin Condon, vice president of security research at VulnCheck, reported that the subsequent surge of activity focused on IP addresses associated with China and Hong Kong. VulnCheck also notes that as many as 2,000 instances of MetInfo CMS remain accessible online, most of which are in China.

Observed attacks: honeypots, automated probes, and a rapid increase

The early pattern observed by VulnCheck fits a common exploitation arc: automated scanning and probing against internet‑accessible instances, limited successful exploitation against decoy systems (honeypots), then a regional intensification. The initial April 25 engagements targeted honeypots in the U.S. and Singapore; by May 1, exploit traffic concentrated on China and Hong Kong IP ranges.

While VulnCheck characterizes the first wave as "automated probing," the later surge suggests attackers shifted from reconnaissance at scale to active exploitation attempts. The NVD's technical assessment — that successful exploitation can yield "full control over the affected server" — underscores why the scans moved quickly from experimentation to more focused attempts.

What this means for technologists and security teams, affected enterprises and procurement leaders, and adversaries and threat actors

  • Technologists and security teams: systems running MetInfo versions 7.9, 8.0, or 8.1 that have the WeChat plugin installed and the /cache/weixin/ directory present are directly at risk of unauthenticated remote code execution. The presence of working exploits against honeypots and the recorded surge of activity indicate a short window between disclosure and active exploitation.
  • Affected enterprises and procurement leaders: with "as many as 2,000" publicly accessible MetInfo instances reported online — most in China — organizations should prioritize inventorying any MetInfo deployments and confirm whether the Weixin integration was activated, since that configuration creates the necessary exploitation condition.
  • Adversaries and threat actors: the observable shift from automated reconnaissance to concentrated exploitation on May 1 shows how cheaply and rapidly code‑injection flaws can be weaponized once proof‑of‑concept activity appears; the documented requirement for the /cache/weixin/ directory may also guide attackers toward instances with WeChat plugin use.

The sequence of events is stark: a high‑severity, unauthenticated code‑injection flaw was disclosed, patches were issued on April 7, and exploitation was seen on the public internet by April 25 with an escalation on May 1. That timeline — disclosure, patch, then swift exploitation — emphasizes the narrow margin between remediation availability and active abuse for internet‑facing web platforms.

Original reporting: https://thehackernews.com/2026/05/metinfo-cms-cve-2026-29014-exploited.html

Emerging ThreatsRemote Code ExecutionVulnerability ExploitationCVE-2026-29014Metinfo CMSPHP Code InjectionContent Management System
Related Intelligence

Continue Reading

Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207
Rows of network equipment and devices on racks in a dimly lit, empty server room.

Credential Attacks Target Fortinet, Sophos, MSSQL Devices in Large-Scale Campaign

A large-scale password spraying and credential theft campaign, dubbed "FortiBleed," is targeting Fortinet devices, with attempts also seen against MSSQL services and Sophos devices, warns Unit 42. This coordinated attack has sparked concerns over widespread credential attacks.

Analyst 207