Critical MetInfo CMS RCE Flaw Hit by Active Exploitation
Threat actors are actively exploiting CVE-2026-29014, a critical CVSS 9.8 vulnerability in the open-source MetInfo CMS that allows unauthenticated remote code execution through PHP code injection. The flaw affects MetInfo versions 7.9, 8.0, and 8.1 and stems from insufficient sanitization in Weixin/WeChat API requests handled by weixinreply.class.php, located under /app/system/weixin/include/class/. Successful exploitation can let attackers execute arbitrary code and potentially take full control of vulnerable servers.
MetInfo issued patches on April 7, 2026, but exploitation was observed by April 25 against honeypots in the United States and Singapore, before surging on May 1 with attacks concentrated on China and Hong Kong. Exploitation depends on the presence of the /cache/weixin/ directory, which is commonly created when the WeChat plugin is installed. Researchers said roughly 2,000 MetInfo CMS instances were reachable online, with the majority exposed in China.
How this story unfolded
4 events from the earliest known activity through the most recent confirmed update.
MetInfo releases patches for CVE-2026-29014
MetInfo released fixes for CVE-2026-29014, a critical unauthenticated PHP code injection flaw in MetInfo CMS affecting versions 7.9, 8.0, and 8.1. The vulnerability can enable remote code execution via crafted requests to the weixinreply.class.php component when the WeChat-related cache directory is present.
Exploitation of CVE-2026-29014 begins against honeypots
VulnCheck observed active exploitation of CVE-2026-29014 starting by April 25, with initial attacks targeting honeypots in the United States and Singapore. The activity showed threat actors were abusing the flaw in the wild shortly after patches became available.
MetInfo CMS attacks surge and shift toward China and Hong Kong
On May 1, exploitation activity increased sharply, with attacks concentrating on targets associated with China and Hong Kong IP addresses. Reporting also noted that roughly 2,000 MetInfo CMS instances were exposed online, most of them in China.
Researchers publicly report active exploitation of CVE-2026-29014
By early May 2026, VulnCheck and media reports disclosed that CVE-2026-29014 was being actively exploited in the wild. The reporting identified the bug as a critical CVSS 9.8 remote code execution issue in the MetInfo CMS Weixin/WeChat functionality.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated RCE in com_mb24sysapi and High-Severity CSRF in DedeCMS
A newly recorded vulnerability, **CVE-2026-32968**, affects the `com_mb24sysapi` module and allows **unauthenticated remote code execution** through an OS command injection flaw. The weakness is classified as **CWE-78** and stems from improper neutralization of special elements in OS commands, enabling a remote attacker to execute arbitrary commands and potentially take full control of an affected system. The CVE is described as a variant of `CVE-2020-10383`, carries a **CVSS v3.1** vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, and is referenced by CERT VDE advisories **VDE-2026-024** and **VDE-2026-025**. A separate high-severity issue, **CVE-2026-29839**, was recorded for **DedeCMS v5.7.118** in the `/sys_task_add.php` component. The flaw is a **Cross-Site Request Forgery** vulnerability classified as **CWE-352**, and its updated **CVSS v3.1** vector is `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`, indicating that successful exploitation could significantly affect confidentiality, integrity, and availability. The record includes references to a public gist and the DedeCMS website, highlighting another internet-exposed web application weakness with potentially serious impact.
Mar 24, 2026
Public Exploit Releases for Multiple High-Impact RCE Vulnerabilities by Chocapikk
Security researcher Chocapikk has released a curated collection of public exploit repositories targeting a range of unauthenticated remote code execution (RCE) vulnerabilities across various platforms. The collection includes weaponized proof-of-concept (PoC) exploits and Metasploit modules for critical CVEs such as CVE-2025-34152 (Shenzhen Aitemi M300 Wi-Fi Repeater), CVE-2024-31819 (AVideo Platform), CVE-2024-25600 (Bricks), CVE-2023-50917 (MajorDoMo), CVE-2025-32432 (CraftCMS), and others. These tools are designed to facilitate security testing and highlight the risks posed by unpatched systems, with several exploits enabling unauthenticated attackers to gain remote shell access or escalate privileges on vulnerable targets. The public availability of these exploits increases the urgency for organizations to patch affected systems and monitor for exploitation attempts. Chocapikk's contributions are widely referenced in the security community, with mentions in multiple security news outlets and integration into major exploit frameworks like Metasploit. The release of these tools underscores the ongoing threat posed by rapidly weaponized vulnerabilities and the importance of proactive vulnerability management and detection strategies for enterprise defenders.
Mar 21, 2026
Critical Authentication Bypass and Remote Code Execution Vulnerabilities in METZ CONNECT EWIO2 Series
A set of critical vulnerabilities has been identified in the METZ CONNECT EWIO2 series, including models EWIO2-M, EWIO2-M-BM, and EWIO2-BM running firmware versions below 2.2.0. The most severe issue is an authentication bypass (CVE-2025-41733/41734) that allows unauthenticated attackers with network access to gain administrative control over the device. Exploitation enables attackers to change configurations, manipulate data, disrupt services, and potentially render the device inoperable. Additional vulnerabilities include improper control of filename for include/require statements, unrestricted upload of dangerous file types, path traversal, and improper access control, collectively enabling remote code execution and full device compromise. CISA has issued an ICS advisory (ICSA-25-322-05) highlighting the remote exploitability and low attack complexity of these flaws, assigning a CVSS v4 base score of 9.3. The vulnerabilities stem from the commissioning wizard failing to validate device initialization, allowing attackers to set root credentials via crafted POST requests. Organizations using affected METZ CONNECT EWIO2 devices are urged to review technical details and apply mitigations to prevent unauthorized access and maintain device integrity and availability.
Mar 21, 2026