The critical remote code execution vulnerability CVE-2026-29014 (CVSS 9.8) in MetInfo CMS versions 7.9, 8.0, and 8.1 is already being actively exploited: unauthenticated attackers can execute arbitrary PHP code via the WeChat functionality and gain full control over the server, so MetInfo owners must immediately install the April 7, 2026 patches and check their systems for signs of compromise.

Technical details of the vulnerability and exploitation

According to the entry in the NVD for CVE-2026-29014, the vulnerability is an unauthenticated PHP code injection leading to remote code execution (RCE) in MetInfo CMS:

• Identifier: CVE-2026-29014
• CVSS score: 9.8 (critical)
• Affected versions: MetInfo CMS 7.9, 8.0, 8.1
• Attack vector: remote, unauthenticated
• Vulnerability type: PHP code injection resulting in RCE

Security researcher Egidio Romano established that the issue originates in the script /app/system/weixin/include/class/weixinreply.class.php. The root cause is insufficient sanitization of user input when forming requests to the Weixin (WeChat) API. Data received from a remote client enters the execution path without proper neutralization, which allows arbitrary PHP code to be injected.

Key technical characteristics:

• Does not require an account: an attacker can exploit the vulnerability completely anonymously, which significantly facilitates mass scanning and exploitation.
• Attack surface — WeChat functionality: the exploit abuses Weixin API handling in MetInfo. This makes it especially risky to have the official WeChat plugin installed and partially or previously enabled and then forgotten.
• Condition for non-Windows systems: for successful exploitation on servers other than Windows, the directory /cache/weixin/ must exist. It is created when the official WeChat plugin is installed and configured.

As a result, a remote attacker can send a specially crafted HTTP request containing malicious PHP code, which will be written to disk and then executed by the server. This is a classic exploitation scenario corresponding to MITRE ATT&CK T1190 Exploit Public-Facing Application, where a vulnerable web application becomes an entry point for full infrastructure takeover.

MetInfo released fixes on April 7, 2026 (for supported CMS versions). As early as April 25, the first successful exploitations were recorded on vulnerable honeypot systems in the US and Singapore, and by May 1 there was a noticeable increase in activity, predominantly from IP addresses in China and Hong Kong. According to VulnCheck, about 2,000 MetInfo instances are reachable on the internet, most of them in China.

Threat context: from targeted scans to mass exploitation

The observed attack dynamics are typical for critical web vulnerabilities:

1. Reconnaissance phase: in the first days after the patch and vulnerability information were published, “rare and automated” exploitation attempts were observed against honeypot systems. This indicates that the exploit was quickly integrated into scanners and botnets.
2. Scale-up phase: from May 1, there was a spike in activity focused on IP addresses in China and Hong Kong, which correlates with the geographical distribution of MetInfo deployments (most instances are also located in China).

There have been no reports linking the activity to specific groups or campaigns yet, but the presence of a working exploit and mass scanning means that CVE-2026-29014 is rapidly moving from the category of targeted attacks to a standard tool for automated compromise of public websites.

Impact assessment and risk profile

Who is at greatest risk

• Organizations and individuals using MetInfo CMS versions 7.9, 8.0, 8.1, especially:
  • those with the official WeChat plugin installed and configured at any point;
  • those whose servers are reachable from the internet without additional filtering or a Web Application Firewall.
• Resources in China and Hong Kong, where most MetInfo installations are concentrated and where the main stream of hostile activity has been recorded.

Possible consequences of successful exploitation

Remote execution of arbitrary code on a PHP server gives an attacker virtually unlimited capabilities:

• Full site takeover: content tampering, phishing pages, injection of fraudulent payment forms.
• Data theft: leakage of database contents (accounts, orders, customers’ personal data, internal documents).
• Deployment of additional malicious code: installation of web shells, proxies, participation in botnets, further attacks on the internal network.
• Reputational and legal damage: if the site serves customers or citizens, a compromise may result in claims from regulators and business partners.

Given the unauthenticated nature of the attack and the presence of automated scanning, any unpatched public MetInfo installation with enabled WeChat functionality should be considered potentially already compromised.

Practical protection recommendations

1. Immediate MetInfo update

1. Determine the current version of MetInfo CMS (in the administration panel or via version files).
2. Compare it with the information from the NVD entry for CVE-2026-29014 and MetInfo’s official documentation to confirm that your release falls within the vulnerable range.
3. Install the patches released on April 7, 2026, or upgrade to the latest available secure version.

Priority: urgent (within the next few hours for public systems, one day at most).

2. Checking exploitation conditions

Even after updating, you must assess whether the vulnerability could have been exploited earlier:

• Check for the presence of the /cache/weixin/ directory on the server:
  • if the directory exists but you are not consciously using WeChat integration, this increases the risk of unnoticed exploitation;
• Review web server logs (access and error) for:
  • suspect requests to paths related to /weixin/ or weixinreply.class.php;
  • anomalous POST requests containing embedded PHP constructs.

3. Hunting for signs of compromise

Focus on indicators of post-exploitation activity:

• Search for new or modified PHP files in:
  • the /cache/weixin/ directory;
  • directories writable by the web server.
• Check for web shells (non-standard files with small size and unfamiliar names, including those masquerading as system files).
• Analyze outbound connections from the server for unknown destinations and unusual traffic.
• Review system logs for new accounts, permission changes, and attempts to access the database outside normal patterns.

If there is reason to believe that exploitation has already occurred, it is prudent to treat the system as compromised: switch to incident response mode, conduct forensics, and, if necessary, perform a full reinstallation with restoration from a trusted backup.

4. Reducing the attack surface

Even after applying the patch, you should reduce the likelihood of future web exploitation:

• Place MetInfo behind a reverse proxy and enable Web Application Firewall rules to block typical PHP injections and suspicious parameters.
• Restrict access to the administrative panel by IP address or via VPN.
• Remove or disable unused plugins, including WeChat if it is not required for business purposes.
• Regularly update the CMS, plugins, and dependent libraries to avoid accumulating vulnerabilities.

5. Prioritization in overall vulnerability management

CVE-2026-29014 should be assigned the highest priority:

• Vulnerability type: remote code execution.
• Required privileges: no authentication required.
• Exploit availability: confirmed exploitation in the wild.

Within your vulnerability management process, it makes sense to classify all public MetInfo sites as “immediate response” assets, on par with other critical web platforms.

The key takeaway: owners of MetInfo CMS versions 7.9, 8.0, and 8.1 must, as quickly as possible, install the April 7, 2026 patches, check for the presence and state of the /cache/weixin/ directory, analyze logs and the file system for signs of CVE-2026-29014 exploitation and, if anomalies are detected, carry out a full incident investigation followed by restoration from a trusted backup.