
Thousands of MetInfo-powered servers remain exposed to remote takeover through a known PHP flaw. If you or a colleague manage web infrastructure, especially in Asia, this may be worth sending their way.

Critical Flaw in MetInfo CMS Under Attack Story flow and key facts
A critical remote code execution vulnerability in MetInfo CMS, a popular open-source content management system in China, is under active exploitation. Tracked as CVE-2026-29014 with a CVSS score of 9.8, the flaw allows unauthenticated attackers to inject and execute arbitrary PHP code via insufficient input sanitization in the WeChat API integration component. The vulnerability affects versions 7.9, 8.0, and 8.1, specifically within the weixinreply.class.php script. Successful exploitation gives full control over the affected server, provided the /cache/weixin/ directory exists—a condition met after installing the official WeChat plugin.
MetInfo released patches on April 7, 2026, but exploitation began by April 25, initially detected in U.S. and Singapore honeypots. Activity remained low until May 1, when attacks surged, increasingly targeting IP addresses in China and Hong Kong. Security firm VulnCheck reports that around 2,000 MetInfo instances are publicly accessible online, the majority located in China, making them potential targets. The combination of a high-impact vulnerability and concentrated regional exposure has raised concerns among network security teams.
Organizations running MetInfo CMS are urged to confirm they are patched to version 8.2 or later. The incident underscores the risk window between patch release and widespread deployment, especially for regionally concentrated platforms. Monitoring for unauthorized access to the /cache/weixin/ directory and related API endpoints is recommended for unpatched systems still undergoing updates.
Facts
- CVE-2026-29014 is a critical PHP code injection flaw in MetInfo CMS versions 7.9, 8.0, and 8.1 with a CVSS score of 9.8.
- The vulnerability allows unauthenticated remote attackers to execute arbitrary code via the weixinreply.class.php script if the /cache/weixin/ directory exists.
- MetInfo released patches on April 7, 2026, but exploitation began by April 25, with a surge in attacks targeting China and Hong Kong starting May 1, 2026.
- Around 2,000 MetInfo CMS instances are publicly accessible online, most located in China, according to VulnCheck.
- The flaw stems from insufficient input sanitization during WeChat API requests, enabling full server takeover if exploited.
Canto visual news explainer. AI tools may assist production. Editorial policy





