# Critical MetInfo CMS Vulnerability Under Active Exploitation—Patch Now


## The Threat


Threat actors are actively weaponizing a critical vulnerability in MetInfo, an open-source content management system widely deployed across Asia-Pacific organizations. The flaw, tracked as CVE-2026-29014, allows unauthenticated attackers to inject and execute arbitrary PHP code on vulnerable servers—a direct path to complete system compromise.


According to research from VulnCheck, the vulnerability stems from improper input validation in MetInfo's file handling mechanisms. The CMS fails to adequately sanitize user-supplied input before processing it through PHP execution contexts, enabling attackers to bypass authentication entirely and run malicious code with the privileges of the web server process. This is a particularly dangerous class of vulnerability because it requires no credentials, no social engineering, and no user interaction—a simple crafted HTTP request is sufficient for exploitation.


The discovery of active exploitation in the wild underscores the urgency: this isn't a theoretical threat or a proof-of-concept. Real attackers are already targeting production MetInfo installations. Organizations running vulnerable versions should treat this as a security incident requiring immediate remediation, regardless of whether they've detected intrusions.


## Severity and Impact


| Metric | Value |

|---|---|

| CVE Identifier | CVE-2026-29014 |

| CVSS Score | 9.8 (Critical) |

| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |

| Attack Vector | Network |

| Attack Complexity | Low |

| Privileges Required | None |

| User Interaction | None |

| Scope | Unchanged |

| Confidentiality Impact | High |

| Integrity Impact | High |

| Availability Impact | High |

| CWE Classification | CWE-94 (Improper Control of Generation of Code) |


A CVSS score of 9.8 reflects the maximum severity: remote, unauthenticated, zero-click exploitation with complete system compromise. An attacker exploiting this vulnerability can read sensitive files (database credentials, configuration secrets), modify or delete content, install persistent backdoors, or pivot to internal networks. In hosted environments, a single compromised MetInfo instance could serve as a staging ground for lateral movement.


## Affected Products


MetInfo CMS — all of the following versions are vulnerable:

  • Version 7.9
  • Version 8.0
  • Version 8.1

    • Organizations should verify their MetInfo deployment version immediately. The CMS typically displays version information in the admin panel or within generated HTML comments; if you cannot confirm you're running a patched version, assume vulnerability.


    ## Mitigations


    ### Immediate Actions (Priority 1)

    Upgrade immediately to the latest patched version released by MetInfo. The vendor has released security updates addressing CVE-2026-29014. Apply the patch to all MetInfo installations without delay. If your hosting provider or CMS management service maintains MetInfo, contact them to confirm patch status.


    If you cannot patch immediately, implement compensating controls:

  • Restrict network access to MetInfo admin and upload directories using firewall rules or network ACLs
  • Block direct HTTP/HTTPS access to the vulnerable upload endpoint if it can be identified
  • Enable Web Application Firewall (WAF) rules to detect and block malicious PHP code injection payloads (signature-based detection of PHP functions like system(), exec(), passthru())
  • Move upload directories outside the web root if the CMS architecture permits

    • ### Investigation and Forensics (Priority 2)

  • Review web server access logs for requests to upload directories or file handling endpoints, looking for POST requests with suspicious parameters or unusually large payloads
  • Check for unexpected files or directories created in the CMS installation folder or upload directories—attackers often leave backdoors
  • Examine database audit logs (if available) for modifications to content, admin users, or configuration settings
  • Search for suspicious recently-modified PHP files with obfuscated or encoded content
  • Scan the filesystem with antivirus or file integrity monitoring tools for web shells or malicious scripts

    • ### Longer-term Hardening (Priority 3)

  • Implement principle of least privilege: configure the web server process to run as a non-root user with minimal filesystem permissions
  • Disable PHP execution in upload directories using web server configuration (e.g., .htaccess for Apache, nginx.conf directives)
  • Enable PHP security settings: disable exec(), system(), and other dangerous functions via php.ini disable_functions directive
  • Implement file integrity monitoring to detect unauthorized changes to CMS files
  • Enable detailed security logging and centralized log aggregation for audit trails
  • Consider a Web Application Firewall (WAF) as a defensive layer for future vulnerabilities

    • ### Deployment Checklist

  • [ ] Verify current MetInfo version across all production instances
  • [ ] Back up all CMS data and databases before applying patches
  • [ ] Test patches in a staging environment before production deployment
  • [ ] Apply patches to all vulnerable instances
  • [ ] Verify successful upgrade and test CMS functionality post-patch
  • [ ] Review logs for signs of exploitation attempts
  • [ ] Scan for backdoors or unauthorized files
  • [ ] Update security monitoring to alert on suspicious PHP uploads

    • ## References


  • MetInfo Official Security Advisory: Check [metinfo.cn](https://metinfo.cn) for vendor updates and patch availability
  • VulnCheck Research Report: Available at vulncheck.com for detailed technical analysis and exploitation timeline
  • National Vulnerability Database (NVD): [CVE-2026-29014](https://nvd.nist.gov) for CVSS scoring and metadata
  • OWASP Code Injection Prevention: [owasp.org](https://owasp.org) guidance on secure input validation

    • ---


    Bottom line: This is a critical, actively exploited vulnerability affecting a real-world CMS platform. If you operate MetInfo, treat this as a security incident requiring immediate response. Patching is non-negotiable; compensating controls buy time if patching is delayed, but they are not substitutes for patching. The window for undetected exploitation closes as more organizations detect and publicize the attack patterns—act now.