Threat actors are actively exploiting a critical MetInfo CMS flaw tracked as CVE-2026-29014, with VulnCheck saying attacks were seen from April 25 and increased on May 1, 2026. The issue affects versions 7.9, 8.0 and 8.1 and carries a CVSS score of 9.8.
KEY FACTS
- Flaw unauthenticated PHP code injection in MetInfo CMS.
- Impact remote code execution and full server control.
- Patch MetInfo released fixes on April 7, 2026.
- Targeting honeypots in the U.S. and Singapore, then China and Hong Kong IP addresses.
A technical analysis by Karmain Security said the flaw stems from insufficient input sanitization in the /app/system/weixin/include/class/weixinreply.class.php script when handling Weixin, also known as WeChat, API requests. The advisory said an attacker could inject malicious PHP code through crafted requests.
According to the report, exploitation on non-Windows servers also requires the /cache/weixin/ directory to exist first. That directory is created when the official WeChat plugin is installed and configured.
MetInfo released patches on April 7, 2026, and the report said exploitation began to appear on April 25. VulnCheck later observed a rise in activity on May 1, with the probes shifting toward IP addresses in China and Hong Kong.
VulnCheck said about 2,000 MetInfo CMS instances are reachable online, most of them in China. The company described the earliest activity as sparse and tied to automated probing before it expanded.
WHY IT MATTERS
The flaw can let unauthenticated attackers run code on vulnerable servers, which can expose websites and back-end data. With thousands of instances publicly accessible, the attack surface remains broad even after patches were issued.