MetInfo CMS (CVE-2026-29014): RCE via PHP injection

Colleagues, attention: a critical MetInfo CMS vulnerability (CVE-2026-29014) is being exploited.
Summary:
- Vulnerability: unauthenticated PHP injection in versions 7.9, 8.0, 8.1 (CVSS 9.8) enabling RCE.
- Reported by Egidio Romano; root cause in weixinreply.class.php — lack of sanitization in Weixin API requests; on non‑Windows systems exploit requires /cache/weixin/ directory.
- Patches released April 7; exploits observed since April 25, spike on May 1; primary activity from IPs in China and Hong Kong; ~2,000 instances exposed (majority in China).
Impact: allows full server compromise if unpatched.
What will you do to protect?
#cybersecurity #infosec #CMS #vulnerabilities


Latest comments
No comments yet.