Threat actors are actively exploiting a critical security flaw in MetInfo, a widely used open-source content management system, according to new findings from VulnCheck. The vulnerability, tracked as CVE-2026-29014 with a CVSS score of 9.8, is a code injection flaw that allows unauthenticated remote attackers to execute arbitrary code on vulnerable servers.
MetInfo is a PHP-based CMS primarily used by small and medium-sized businesses across Asia, with a significant installation base in China. The active exploitation campaign was confirmed by VulnCheck researchers who observed in-the-wild attacks targeting unpatched deployments.
Vulnerability Overview
CVE-2026-29014 is a code injection vulnerability in MetInfo's file handling or parameter processing logic. Exploitation does not require any prior authentication, making it trivially weaponizable:
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-29014 |
| CVSS Score | 9.8 (Critical) |
| Affected Software | MetInfo CMS (multiple versions) |
| Attack Vector | Network |
| Authentication Required | None |
| User Interaction | None |
| Impact | Full RCE as web server process |
The flaw enables attackers to inject and execute arbitrary PHP or system commands, giving them full control over the underlying server within the web application's permission scope.
Active Exploitation Observed
VulnCheck's research identified scanning activity and exploitation attempts targeting internet-exposed MetInfo installations. The attack pattern involves:
- Reconnaissance — Automated scanning for MetInfo-fingerprint headers or default paths
- Exploitation — Sending a crafted HTTP request to the vulnerable endpoint to trigger code injection
- Post-exploitation — Deploying web shells, credential stealers, or cryptominers on compromised hosts
The rapid weaponization of this flaw follows a now-common pattern where researchers or threat actors develop working exploits within hours of a CVE being published, then launch mass scanning campaigns.
Why MetInfo CMS Is a Target
MetInfo installations tend to share several characteristics that make them attractive to attackers:
- Infrequent patching — Small business operators often run outdated CMS versions
- Predictable paths — Default MetInfo installation paths are well-known and easily scanned
- Hosting concentration — Many installations are co-hosted on shared servers, enabling lateral movement
- Limited security monitoring — Small businesses rarely have WAFs or SIEM monitoring in place
This combination means successful exploitation is often quiet — attackers can persist undetected for extended periods.
Recommended Actions
Patch Immediately
Apply the latest MetInfo security update as soon as possible. Check the official MetInfo repository for the patched release addressing CVE-2026-29014.
If Patching Is Not Immediately Possible
Take the site offline or restrict access until a patch can be applied. Leaving a CVSS 9.8 vulnerability exposed to the internet with active exploitation underway is not an acceptable risk posture.
As a secondary measure, configure your WAF or web server to block requests matching known exploitation patterns for this vulnerability.
Check for Compromise
If your MetInfo installation was internet-accessible prior to patching, assume it may have been compromised and investigate:
# Check for recently modified PHP files (possible web shells)
find /var/www/html -name "*.php" -newer /var/www/html/index.php -ls
# Review web server access logs for suspicious POST requests to PHP files
grep "POST" /var/log/nginx/access.log | grep ".php" | tail -100Web Shell Indicators of Compromise
Common web shell characteristics to look for in PHP files:
- Use of dynamic code evaluation functions with variable arguments (
eval,base64_decode,system,passthru) - Files with names mimicking legitimate CMS components but unusually small file sizes
- PHP files with minimal content that accept a POST parameter to perform server-side actions
Broader Context: CMS Exploitation Trends
CMS-targeting attacks have accelerated in 2026 as threat actors increasingly use AI-assisted tools to enumerate and exploit known CVEs at scale. The pattern is consistent: a critical CVE drops, a working proof-of-concept follows within hours, and mass exploitation campaigns begin within 24–72 hours.
Organizations running any self-hosted CMS should treat CVE management for those platforms as a continuous and prioritized process, not an occasional task. Services like Shodan and Censys are used by attackers to enumerate exposed CMS instances at internet scale before most administrators are even aware of a new CVE.