Monday 06 July 2026 08:15:36 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Vulnerabilities & Patch Management

MetInfo CMS Under Siege: Hackers Exploit Code Injection Flaw for Full Server Takeover

Published: 05 May 2026 15:01Category: Vulnerabilities & Patch ManagementGeo: AsiaAuthor: KERNELWATCHER

Subtitle: Unpatched MetInfo CMS sites face a wave of remote code execution attacks as cybercriminals exploit a critical vulnerability.

In the shadowy world of cybercrime, vulnerabilities can turn trusted software into digital ticking time bombs. The latest target: MetInfo, a popular open-source content management system, now under active attack after hackers discovered a critical flaw that allows them to seize control of servers without so much as a password prompt. As the exploit spreads, thousands of websites-many in China-are at risk of becoming pawns in a global cyber offensive.

Fast Facts

  • Critical MetInfo CMS vulnerability (CVE-2026-29014) enables remote code execution without authentication.
  • Flaw affects versions 7.9, 8.0, and 8.1, with attacks observed since late April 2026.
  • Exploit activity surged on May 1, focusing on Chinese and Hong Kong IP addresses.
  • At least 2,000 MetInfo CMS instances are exposed online, most located in China.
  • Successful attacks give threat actors full control over affected servers.

Inside the Exploit: How Hackers Breached MetInfo CMS

The vulnerability-catalogued as CVE-2026-29014 and scoring a near-maximum 9.8 on the CVSS severity scale-stems from a fatal oversight in the way MetInfo handles input for its Weixin (WeChat) plugin interface. Security researcher Egidio Romano traced the flaw to a lack of input sanitization in the /app/system/weixin/include/class/weixinreply.class.php script. By sending specially crafted requests, attackers can inject malicious PHP code, triggering the server to execute it as if it were legitimate software.

Notably, this attack does not require any user interaction or authentication-just an accessible, unpatched MetInfo CMS and, on some systems, a pre-existing /cache/weixin/ directory (created when the official WeChat plugin is installed). Once inside, threat actors gain the keys to the kingdom: the ability to run any code they wish, steal data, deface sites, or pivot deeper into network environments.

According to VulnCheck, initial exploitation began with automated probes targeting honeypots in the U.S. and Singapore. But the real action started in early May, with a marked spike in attacks from Chinese and Hong Kong IP addresses. With some 2,000 MetInfo installations exposed to the internet-most in China-the risk is anything but hypothetical.

On April 7, MetInfo released a patch to close the gap, but as history shows, patch adoption can lag dangerously behind. Unpatched systems remain sitting ducks, ripe for compromise as criminals race to outpace defenders.

Aftermath and Outlook

The MetInfo saga is a stark reminder that in the digital arms race, a single unpatched flaw can become a gateway for cybercriminals worldwide. As attackers continue to scan for vulnerable systems, website operators are urged to patch immediately or risk becoming the next casualty in an increasingly sophisticated threat landscape. In the meantime, the MetInfo exploit serves as both a cautionary tale and a rallying cry for better security hygiene and faster response across the software ecosystem.

WIKICROOK

  • Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
  • Code Injection: Code injection is an attack where hackers insert malicious code into a program, letting them control or compromise the targeted system.
  • CVSS (Common Vulnerability Scoring System): CVSS is a standard system for rating the severity of security vulnerabilities, assigning scores from 0 (low) to 10 (critical) to guide response priorities.
  • Input Sanitization: Input sanitization is filtering user data to block malicious or unwanted content, protecting software and databases from security threats.
  • Honeypot: A honeypot is a fake system set up to attract cyber attackers, enabling organizations to study attack methods without endangering real assets.