MetInfo CMS CVE-2026-29014 Remote Code Execution

MetInfo CMS CVE-2026-29014 Actively Exploited for RCE

A critical remote code execution vulnerability in MetInfo CMS, tracked as CVE-2026-29014, is being actively exploited in the wild. The flaw allows unauthenticated or low-privileged attackers to execute arbitrary code on affected servers, giving them full control over the underlying system. If you are running MetInfo, this needs your attention right now.

MetInfo is a PHP-based content management system widely used for corporate websites, particularly across Chinese-speaking markets. Its deployment footprint is significant enough that a working RCE exploit against it represents a real and immediate threat to a large number of production servers.

How CVE-2026-29014 Works: The Technical Breakdown

The vulnerability exists in the way MetInfo handles certain user-supplied input during file processing or module execution. Attackers can craft a malicious request that bypasses input validation and causes the server to execute attacker-controlled code. The exact attack vector involves injecting payloads through an exposed endpoint that fails to properly sanitize data before passing it to a backend PHP function.

Once the payload executes, the attacker gains a web shell or direct command execution context at the privilege level of the web server process. From there, privilege escalation, lateral movement, and data exfiltration are all straightforward next steps. The attack requires minimal sophistication, which is exactly why active exploitation is already being observed.

No authentication is required in the most severe exploitation paths reported so far. That makes this a spray-and-pray style attack target. Automated scanners are already sweeping the internet looking for vulnerable MetInfo installations.

What Developers and Server Operators Are Facing

The immediate risk is full server compromise. Attackers who exploit this successfully can read, modify, or delete all files accessible to the web server process. Database credentials stored in configuration files become exposed. Customer data, application secrets, and any sensitive content on the server are at risk.

Secondary risks include the server being recruited into botnets, used as a staging point for further attacks, or having backdoors installed that persist even after patching. Many organizations do not discover compromises of this type until significant damage has already been done.

How to Protect Your MetInfo Installation Against RCE Attacks

Patch immediately. Check MetInfo's official repository and vendor channels for a patched release addressing CVE-2026-29014. Apply it as soon as it is available.

If a patch is not yet available or you cannot patch immediately, apply these mitigations:

• Block external access to the vulnerable endpoint at the firewall or reverse proxy level until patching is complete.
• Restrict file write permissions for the web server user to the minimum necessary directories.
• Deploy a Web Application Firewall (WAF) with rules targeting PHP code injection and file inclusion patterns.
• Review server logs for unusual POST requests, unexpected file creation in web-accessible directories, or outbound connections from the web server process.
• Rotate all credentials stored in MetInfo configuration files as a precaution.

Running an automated vulnerability scan against your web applications can surface exposure points before attackers find them. You can scan your application now at VibeWShield to check for known CMS vulnerabilities including issues like this one.

For additional reading on CMS-specific attack vectors, see our guide to PHP web application security.

Frequently Asked Questions

Does this vulnerability affect all versions of MetInfo CMS? The specific versions confirmed vulnerable are still being documented. Assume any installation without the latest security patches applied is at risk until the vendor publishes a definitive advisory.

Can a WAF fully block exploitation of CVE-2026-29014? A WAF can reduce risk and block many exploitation attempts, but it is not a substitute for patching. Sophisticated attackers can sometimes bypass WAF rules, especially for newly disclosed CVEs where rule sets are still being refined.

How do I know if my MetInfo server has already been compromised? Look for unexpected PHP files in web-accessible directories, unfamiliar cron jobs, outbound network connections from the web process, and anomalies in access logs. A forensic file integrity check against a known-good baseline is the most reliable method.

Run a free vulnerability scan on your web application at VibeWShield to detect CVE-2026-29014 and other critical RCE risks before attackers do.