MetInfo CMS vulnerability exploited by threat actors

Threat actors are actively exploiting a critical security flaw impacting the MetInfo open-source content management system, according to a recent report by The Hacker News.

The vulnerability, identified as CVE-2026-29014 with a CVSS score of 9.8, is a PHP code injection flaw that allows unauthenticated remote attackers to execute arbitrary code. This is achieved by sending crafted requests with malicious PHP code to the affected script, specifically within theweixinreply.class.php file. Exploitation requires the /cache/weixin/ directory to exist, which is typically created when the WeChat plugin is installed.

Patches were released by MetInfo on April 7, 2026. However, exploitation began on April 25, initially targeting honeypots in the U.S. and Singapore. Activity surged on May 1, focusing on China and Hong Kong, with as many as 2,000 MetInfo CMS instances accessible online, predominantly in China.

Source: The Hacker News