MetInfo CMS: Active RCE Exploitation Targets CVE-2026-29014

Threat actors are actively exploiting CVE-2026-29014, a critical unauthenticated PHP code injection vulnerability affecting MetInfo CMS versions 7.9, 8.0, and 8.1. While sporadic activity was first detected on April 25, 2026, malicious traffic surged on May 1, 2026, with a heavy geographical concentration on IP addresses in China and Hong Kong. The flaw carries a CVSS score of 9.8 and allows for complete system compromise without authentication, provided the target site has the WeChat plugin enabled.

Analyzing the WeChat Plugin Attack Vector

The core of CVE-2026-29014 lies within /app/system/weixin/include/class/weixinreply.class.php, a script responsible for managing automated API responses for the integrated WeChat social plugin. The failure to properly neutralize inputs allows a remote attacker to inject arbitrary PHP code without backend authentication.

The attack vector involves crafted HTTP requests that exploit the Weixin response processing flow. When the server processes the malicious request, the injected code executes within the web application's context, potentially leading to full server takeover. The severity is underscored by its CVSS score of 9.8, reflecting maximum impact on confidentiality, integrity, and availability with low attack complexity.

On non-Windows platforms, a specific prerequisite must be met: the presence of the /cache/weixin/ directory. This directory is generated exclusively when the official WeChat plugin is installed. This technical constraint limits the exploit's effectiveness to instances where the social component is active, narrowing the target pool but significantly increasing the risk for those utilizing the feature. Current reports do not confirm if this prerequisite applies to Windows-based installations or if an alternative path exists on those systems.

"MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code" — NIST National Vulnerability Database (NVD), via The Hacker News

From Honeypot Reconnaissance to Targeted Exploitation

Initial signs of in-the-wild exploitation appeared on April 25, 2026, when sensors in the United States and Singapore recorded attempts against exposed honeypots. This early activity was sporadic, consistent with automated reconnaissance or preliminary testing by opportunistic actors validating the exploit's reach.

A significant escalation occurred on May 1, 2026. Data from VulnCheck indicates a sharp increase in both the volume and precision of malicious activity, with a high concentration of requests targeting IP addresses geolocated in China and Hong Kong. This shift suggests a transition from broad scanning to a more targeted exploitation phase, though it remains unclear whether the activity is driven by structured APT groups or opportunistic threat actors.

It is important to note that current documentation relies on honeypot detections; there is presently no public confirmation of compromised production environments or live infrastructure. The focus on China and Hong Kong likely reflects the distribution of the approximately 2,000 exposed MetInfo instances—most of which are located in Chinese territories—or a specific interest in the Chinese digital ecosystem, where WeChat is a critical social and commercial pillar.

Assessing Exposure Beyond the Chinese Market

Estimates suggest roughly 2,000 MetInfo CMS installations are currently reachable via the internet. While the majority are in China, the CMS is also utilized internationally by organizations catering to Chinese clientele or managing multilingual web presences. Consequently, the risk is not strictly geographical; the deciding factor is the presence of the WeChat plugin and, for non-Windows systems, the /cache/weixin/ directory.

An organization in Europe, North America, or Southeast Asia using MetInfo with the active social module faces the same attack surface as a host in Beijing or Hong Kong. Geographic location should not provide a false sense of security for administrators managing instances outside of the primary target zones.

This situation highlights a frequent blind spot: niche CMS platforms and vertical-specific plugins. While the security community focuses on mainstream platforms, solutions like MetInfo can harbor critical vulnerabilities that remain under the radar until active exploitation begins. CVE-2026-29014 exemplifies how a secondary social component can become the primary entry point for a total system compromise.

Mitigation and Security Recommendations

MetInfo released an official patch on April 7, 2026, addressing the flaw in weixinreply.class.php. Administrators who have not yet updated should treat this as a high-priority task, given the documented rise in active exploitation. Recommended actions include:

• Apply Updates Immediately: Update MetInfo CMS to the patched versions released after April 7, 2026. Ensure the patch successfully replaces the vulnerable file at /app/system/weixin/include/class/.
• Remove Unused Plugins: If the WeChat module is not required for business operations, uninstall it completely to reduce the attack surface and eliminate the known vector.
• Inspect Cache on Non-Windows Servers: On Linux or Unix platforms, audit the /cache/weixin/ directory for files with unusual timestamps, unexpected PHP extensions, or suspicious payloads. Files not generated by the legitimate application are indicators of potential compromise.
• Monitor Logs and Deploy WAF Rules: Review web server logs for unauthorized POST or GET requests to weixinreply.class.php containing suspicious PHP code sequences. Configure WAF rules to block injection attempts targeting the vulnerable parameter until patching is finalized.

The transition from sporadic honeypot probes to a surge in targeted exploitation confirms that CVE-2026-29014 is a concrete operational threat. For infrastructure managers, this case reinforces a critical principle: specialized social plugins, particularly those tied to ecosystems like WeChat, must be managed with the same rigor as the CMS core. Patching speed is only effective if defenders are fully aware of the components they are serving.

Frequently Asked Questions

Does this vulnerability affect all MetInfo installations or only those with the WeChat plugin?

The attack vector resides specifically in the /app/system/weixin/include/class/weixinreply.class.php script, which is part of the WeChat plugin. If the plugin is not installed or has been removed, the flaw cannot be exploited via this known path.

Why is the current attack activity focused on China and Hong Kong?

Reports indicate the May 1, 2026, spike primarily involved IP addresses in China and Hong Kong, though the exact motivation is not explicitly confirmed. This likely correlates with the high density of exposed MetInfo instances in those regions or a specific interest in the local digital market.

Is the April 7, 2026, patch sufficient to mitigate the risk?

Yes, the update released by MetInfo on April 7, 2026, resolves the documented vulnerability. Prompt application of the patch, combined with an audit to ensure no backdoors were previously installed, is the primary countermeasure against this threat.

Information has been verified against cited sources and is current at the time of publication.

Sources

• https://thehackernews.com/2026/05/metinfo-cms-cve-2026-29014-exploited.html
• https://news.fyself.com/metinfo-cms-cve-2026-29014-can-be-exploited-for-remote-code-execution-attacks/
• https://thomasharris6.wordpress.com/2026/05/05/metinfo-cms-cve-2026-29014-exploited-for-remote-code-execution-attacks/