Imagine for a second that your server is working perfectly fine. The website is running customers are coming and everything seems normal. But if you peel back the curtain a stranger is already hiding somewhere behind you. They are viewing your files and roaming your database and you are unaware.
This is what happens when an unauthenticated remote code execution vulnerability is exploited and its happening right now to thousands of servers using MetInfo CMS due to CVE-2026-29014. This is not a future fear. This is a confirmed reality as of May 2026.
CVE-2026-29014 has a CVSS score of 9.8, the highest level of critical severity. This simply means that exploiting this vulnerability is neither difficult nor slow. Any attacker without any account or permission, can simply send a specially crafted request and run their code on your MetInfo server.
And once that code is executed and the attacker has complete control. Delete files, install malware steal data or use the server as a weapon to attack others. Anything is possible with just a single wrong request.
CVE-2026-29014 Explained
This vulnerability is present in versions 7.9, 8.0 and 8.1 of MetInfo CMS and it originated in a place that very few people pay attention to. There is a file in the system named weixinreply.class.php and this file is created to handle API requests of Weixin i.e. WeChat.
Security researcher Egidio Romano discovered that when this file processes the input coming from outside it does not sanitize that input properly. Means attacker can hide his malicious PHP code in that input and the server executes that code directly without any question.
PHP code injection is not just an error. Its like opening a door that lets the attacker in and then closing it from the inside. Once the arbitrary PHP code is executed and the attacker can install a webshell that gives them a permanent backdoor. This means that even if you patch the vulnerable version if the attacker has already installed the webshell, they are still inside.
An important technical point is that for successful exploitation on non-Windows servers, the “/cache/weixin/” directory must already exist. This directory is created when the official WeChat plugin is installed and configured. And since MetInfo is essentially a Chinese CMS built for Chinese businesses and WeChat is the most popular platform in China and this directory already exists in the vast majority of MetInfo installations. In practical terms, this condition is not a barrier but an almost guaranteed setup.
MetInfo officially released the patch on April 7, 2026. But this is where the real story begins. After the patch release, the security community thought that exploitation might take time. That assumption was proven wrong on April 25 when researchers at VulnCheck first observed requests targeting this vulnerability on their honeypots in the US and Singapore.
Honeypots are fake vulnerable servers that are specifically created to lure attackers so that their techniques can be studied. When a honeypot is hit, it means that someone is out there actively searching for and exploiting this vulnerability. Earlier, this activity was like automated scanning. As if some tool was scanning the internet and making a list of MetInfo installations.
But everything changed on May 1, 2026. There was a sharp and sudden surge in focused attacks coming from IP addresses in China and Hong Kong. This was the moment when researchers confirmed that this was no longer just reconnaissance but active exploitation. VulnChecks vice president of security research Caitlin Condon confirmed on LinkedIn that approximately 2000 MetInfo CMS instances are currently directly accessible on the internet and the overwhelming majority of these are located in China.
Some people relax when they hear the figure of 2000 because it seems small compared to the millions of installations of the largest CMS platforms globally. But this thinking is dangerous. Every vulnerable instance is a real organization. A real business. A real server with real customer data real financial records and real operations. And any of these that are unpatched are right now on the active radar of attackers. Automated scanners do not care whether your server is small or large. They just need an open door.
The Real Lesson of This Vulnerability What You Must Do Now
Its important to point out something very few people acknowledge. The exploitation timeline for CVE-2026-29014 has once again proven that the time between the patch release in 2026 and active exploitation is so short that the old I will update it over the weekend attitude can literally get you breached. April 7 patch came out. April 25 exploitation began. 18 days. Just 18 days. And systems that were not updated were already receiving active attack attempts.
This is not just a MetInfo issue. This is a problem for the entire web security landscape. When a critical vulnerability is publicly disclosed and exploits are available on dark web markets within hours. Automated bots using services like Shodan and Censys create a list of vulnerable IP addresses and then launch attacks at scale. Human involvement in this process is minimal, meaning no one is specifically targeting you. Its just a machine looking for open ports and if your server is vulnerable then it gets listed.
If you use MetInfo CMS first check your version. If you are on 7.9, 8.0 or 8.1 stop reading this article and go to MetInfos official site. The patch has already been released on April 7th and updating is the most important thing now. Simply updating is not enough.
If you use the WeChat plugin review the permissions of the “/cache/weixin/” directory and remove unnecessary write access. Check your server logs to see if there are any unusual requests after April 25th. If you find anything suspicious assume a breach has already occurred and follow the full incident response procedure.
But the bigger message is for those who do not use MetInfo. If you use any PHP based web application or CMS, then this vulnerability is a mirror to you. Outdated plugins of WordPress unpatched extensions of Joomla ignored security advisories of Drupal all fall in this category.
PHP code injection vulnerabilities that allow unauthenticated exploitation are not just a problem of MetInfo. It is a failure of those fundamental practices of web development where every piece of user input must be sanitized and validated in every scenario without any exception.
Cybersecurity professionals use a phrase that fits this perfectly. They say Patch management is not a task its a discipline. This means that updating is not a one-time task but an ongoing process that requires dedicated attention. CVE-2026-29014 proved that when this discipline is missing, the consequences aren’t just theoretical. They manifest in the form of real servers real data and real businesses. And by then its too late.
