MetInfo CMS CVE-2026-29014 Exploited in the Wild for Remote Code Execution

Threat actors began actively exploiting CVE-2026-29014 ↗ on April 25, 2026, roughly three weeks after MetInfo released a patch. Activity spiked again on May 1, with attack traffic concentrated against roughly 2,000 internet-exposed MetInfo CMS instances, predominantly in China and Hong Kong. VulnCheck flagged the campaign; the underlying advisory comes from independent researcher Egidio Romano.

Affected Versions

Product	Versions	Status
MetInfo CMS	7.9, 8.0, 8.1	Vulnerable
MetInfo CMS	Post-April 7, 2026 patch	Fixed

CVSS 3.1: 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS 4.0: 9.3 Critical
CWE: CWE-94 — Improper Control of Generation of Code (Code Injection)

The Vulnerability

The flaw lives in /app/system/weixin/include/class/weixinreply.class.php, specifically inside the wxAdminLogin() method. This component handles incoming WeChat API webhook requests. Two XML parameters, EventKey and FromUserName, are extracted from the HTTP request body and passed to caching functions without sanitization.

Exploitation chains two bugs together.

Step 1 — Path traversal via cache::get(): The $code parameter accepts directory traversal sequences. An attacker manipulates it so the method attempts to retrieve a cache entry that does not exist, causing the return value $login_code to be set to the string "Array".

Step 2 — PHP code injection via cache::put(): With $login_code resolving to "Array", the application writes the attacker-controlled FromUserName value into the file /cache/weixin/Array.php. The written file looks like:

<?php
defined('IN_MET') or exit('No permission');
$cache="{$data}";
?>

PHP’s double-quoted string syntax evaluates expressions inside curly braces. By embedding a valid PHP expression in FromUserName, an attacker places executable code inside $cache. A subsequent HTTP request that causes PHP to include or evaluate that cache file triggers execution.

The attack requires no authentication. On non-Windows hosts, one practical prerequisite applies: the directory /cache/weixin/ must already exist, which is created automatically when the MetInfo WeChat integration plugin is installed. Sites that have never installed the WeChat plugin but run a vulnerable version may still be reachable depending on how directory creation is handled, but the primary attack surface is installations with the plugin active.

Exploitation Timeline

• April 1, 2026 — CVE published to NVD; Romano’s advisory (KIS-2026-06) released publicly.
• April 7, 2026 — MetInfo releases patched builds. Download available from the MetInfo portal.
• April 25, 2026 — First observed in-the-wild exploitation attempts logged by VulnCheck.
• May 1, 2026 — Exploitation activity escalates; campaign targeting Chinese and Hong Kong infrastructure.

The 18-day gap between patch release and active exploitation is shorter than average for critical CMS vulnerabilities and aligns with patterns VulnCheck has observed around public PoC availability. Romano published a proof-of-concept at https://karmainsecurity.com/pocs/CVE-2026-29014.php alongside the advisory.

Mitigation

Apply the vendor patch. MetInfo published the fix on April 7, 2026; updated packages are available at the official MetInfo download portal (metinfo.cn/news/2875.html).

If immediate patching is not possible, operators can reduce exposure by:

1. Blocking unauthenticated POST requests to the WeChat endpoint. The wxAdminLogin() method is reached through the WeChat webhook path. Restricting access at the WAF or reverse proxy to known WeChat IP ranges limits the attack surface.
2. Removing or restricting write access to /cache/weixin/ prevents the injected file from being written, breaking step 2 of the exploit chain.
3. Disabling the WeChat integration plugin entirely if it is not in active use removes the affected code path.

None of these workarounds should be treated as permanent. The patch is the only reliable fix.

Scope and Context

Shodan and similar indexing tools show approximately 2,000 MetInfo CMS instances with HTTP-accessible admin panels. The majority are hosted in China, where MetInfo has significant market share among small-business and government-adjacent sites. An unauthenticated RCE with a public PoC and a 9.8 CVSS score on a CMS with this exposure profile is a reliable target for automated scanning.

VulnCheck’s telemetry indicating the May 1 spike suggests the campaign moved beyond opportunistic probing into more deliberate targeting. Organizations running MetInfo in any version between 7.9 and 8.1 should treat this as an active incident until patched.

Sources

• NVD — CVE-2026-29014 (https://nvd.nist.gov/vuln/detail/CVE-2026-29014 ↗) — Official NIST entry with CVSS vectors, CWE classification, and references.
• KIS-2026-06 (karmainsecurity.com) (https://karmainsecurity.com/KIS-2026-06 ↗) — Original advisory by Egidio Romano with full technical breakdown and PoC link.
• The Hacker News (https://thehackernews.com/2026/05/metinfo-cms-cve-2026-29014-exploited.html ↗) — News report covering VulnCheck’s active-exploitation findings and timeline.

Related across the network

• Cybersecurity Burnout Is a Structural Problem, Not a Personal One ↗ — techsentinel.news
• AI Agents Are Rewriting the Threat Model, and Most Security Teams Aren’t Ready ↗ — techsentinel.news
• AI Assistants Are Rewriting the Threat Model, Not Just the Workflow ↗ — techsentinel.news
• FlashRT: Optimization-Based LLM Red-Teaming Without the 264 GB GPU Bill ↗ — aisec.blog
• FTC logs $2.1B in social media scam losses as TAKE IT DOWN deadline lands ↗ — neuralwatch.org