- Threat actors are actively exploiting CVE-2026-29014, a critical code injection flaw in MetInfo CMS.
- The vulnerability allows remote, unauthenticated attackers to execute arbitrary PHP code and gain full server control.
- Exploitation activity surged on May 1, 2026, targeting honeypots in China and Hong Kong.
Threat actors are actively exploiting a critical security flaw in the popular MetInfo content management system, according to new findings from VulnCheck in May 2026. The vulnerability, a severe code injection flaw, grants attackers remote control over affected servers.
Specifically, the flaw is CVE-2026-29014, which has a maximum CVSS score of 9.8. The NIST National Vulnerability Database states it allows “remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code.”
Security researcher Egidio Romano discovered the vulnerability, which stems from insufficient input sanitization in a WeChat API script. Consequently, this lack of neutralization enables remote code execution.
One key prerequisite for exploitation on non-Windows servers is the existence of a specific directory created by the official WeChat plugin. Patches for the flaw were released by MetInfo on April 7, 2026.
However, exploitation began shortly thereafter, with a small number of automated probes detected on April 25. Activity then witnessed a significant surge on May 1, 2026, according to VulnCheck‘s Caitlin Condon.
Condon said the recent surge focused on honeypots with China and Hong Kong IP addresses. Meanwhile, as many as 2,000 instances of MetInfo CMS remain accessible online, most located in China.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
