Cybersecurity researchers are warning that attackers are already exploiting a serious flaw in the open-source CMS MetInfo CMS, putting thousands of websites at risk.
The vulnerability, tracked as CVE-2026-29014, carries a high severity score of 9.8 and allows attackers to run malicious code on affected servers.
What the Vulnerability Does
The issue is a PHP code injection flaw that affects MetInfo versions 7.9, 8.0, and 8.1. Because of improper input handling, attackers can send specially crafted requests containing malicious code and have it executed directly on the server.
Even more concerning, the attack does not require authentication. This means a remote attacker can exploit the flaw without needing login credentials.
Root Cause of the Flaw
According to security researcher Egidio Romano, the problem originates in a specific script used for WeChat integrations. The system fails to properly sanitize user input when processing API requests, opening the door for code injection.
On non-Windows systems, exploitation also depends on the presence of a specific directory (/cache/weixin/), which is typically created when the official WeChat plugin is installed and configured.
Exploitation in the Wild
Although a patch was released on April 7, 2026, attackers began targeting the vulnerability shortly after.
Initial activity observed around April 25 involved limited automated scanning and testing against exposed systems. However, by May 1, the attack volume increased significantly, with a strong concentration of activity linked to IP addresses in China and Hong Kong.
Security firm VulnCheck reported that even early tests successfully hit vulnerable honeypot systems in regions such as the United States and Singapore.
Scale of Exposure
Current estimates suggest that around 2,000 MetInfo CMS instances are publicly accessible online, with a large number of them hosted in China. This makes the platform an attractive target for opportunistic attackers.
Why This Matters
A successful exploit can give attackers full control of the affected server. From there, they can:
- Deploy malware
- Steal sensitive data
- Use the server for further attacks
Because the vulnerability is easy to exploit and requires no authentication, it poses a serious risk to unpatched systems.
Recommended Action
Website administrators using MetInfo CMS should update to the latest patched version immediately. Delaying updates increases the chance of compromise, especially now that exploitation is already underway.