MetInfo CMS PHP injection (CVE-2026-29014) under attack

Security teams report active exploitation of an unauthenticated PHP code injection in MetInfo CMS (CVE-2026-29014), affecting versions 7.9, 8.0 and 8.1. MetInfo published patches for the flaw on April 7, 2026.

The NIST National Vulnerability Database assigns CVE-2026-29014 a CVSS score of 9.8 and describes it as an unauthenticated PHP code injection that allows remote attackers to execute arbitrary code by sending crafted requests containing PHP. The issue is located in /app/system/weixin/include/class/weixinreply.class.php, where user input passed to the Weixin (WeChat) API is not properly sanitized.

Successful exploitation allows an unauthenticated actor to inject and run PHP on the affected server, which can lead to full server compromise. On non-Windows hosts the attack requires the /cache/weixin/ directory to exist; that directory is created when administrators install and configure the official WeChat plugin.

MetInfo’s patches were available April 7, but exploitation activity began on April 25 with a small number of automated probes and exploit attempts against honeypots in the United States and Singapore. Activity increased on May 1 and shifted to traffic originating from China and Hong Kong IP addresses. VulnCheck’s Caitlin Condon noted, “The early activity was sparse but later intensified, with many probes originating from the two regional networks.”

About 2,000 MetInfo installations are reachable on the public internet, most hosted in China. Researchers tracking the incidents reported that observed activity included both opportunistic automated scans and more focused campaigns after May 1; detection work used honeypots to capture exploit attempts.

MetInfo’s April 7 updates address the vulnerable code paths. Administrators running affected versions are urged to apply the published patches and verify whether the WeChat plugin and its cache directory are present on their servers.