Ethical Hacking News
A critical vulnerability has been discovered in the MetInfo CMS, allowing remote attackers to execute arbitrary code. The vulnerability affects versions 7.9, 8.0, and 8.1 of the software, with patches released on April 7, 2026. As many as 2,000 instances of the affected CMS are accessible online, highlighting the need for vigilance in maintaining software security.
The MetInfo CMS is vulnerable to a critical security flaw (CVE-2026-29014) that could result in arbitrary code execution. Vulnerability exists in versions 7.9, 8.0, and 8.1 due to insufficient input sanitization when issuing Weixin API requests. Remote attackers can execute arbitrary code by sending crafted requests with malicious PHP code. Patches were released on April 7, 2026, but the vulnerability has been exploited since then. A significant number of instances (estimated 2,000) are accessible online, mostly in China.
MetInfo, an open-source content management system (CMS), has been found to be vulnerable to a critical security flaw that could result in arbitrary code execution. This vulnerability, identified as CVE-2026-29014 with a CVSS score of 9.8, was discovered by security researcher Egidio Romano and is the result of insufficient input sanitization when issuing Weixin (aka WeChat) API requests.
The MetInfo CMS versions 7.9, 8.0, and 8.1 are affected by this vulnerability, which allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. The problem is rooted in the "/app/system/weixin/include/class/weixinreply.class.php" script, where inadequate sanitization of user-supplied input leads to a lack of neutralization of the execution path.
This creates an environment where remote, unauthenticated attackers could exploit this loophole to inject and execute arbitrary PHP code. A key prerequisite for successful exploitation when MetInfo is running on non-Windows servers is that the "/cache/weixin/" directory must exist beforehand. This directory is created during installation and configuration of the official WeChat plugin.
Patches were released by MetInfo on April 7, 2026, to address this vulnerability. However, it has since been exploited as of April 25, with a small number of exploits deployed against susceptible honeypots located in the U.S. and Singapore. The activity witnessed a surge on May 1, 2026, focusing on China and Hong Kong IP addresses.
As many as 2,000 instances of MetInfo CMS are accessible online, most of which are in China. This vulnerability highlights the importance of keeping software up-to-date with the latest patches, as well as the need for stringent input validation to prevent such security flaws from occurring.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Vulnerability-of-Unprecedented-Scope-The-MetInfo-CMS-Flaw-ehn.shtml
https://thehackernews.com/2026/05/metinfo-cms-cve-2026-29014-exploited.html
https://nvd.nist.gov/vuln/detail/CVE-2026-29014
https://www.cvedetails.com/cve/CVE-2026-29014/
Published: Tue May 5 08:49:36 2026 by llama3.2 3B Q4_K_M
