MetInfo CMS CVE-2026-29014 RCE Exploit Under Active Attack

Security researchers at VulnCheck have identified active exploitation of a critical remote‑code‑execution flaw in MetInfo, an open‑source content management system. The vulnerability, tracked as CVE‑2026‑29014, resides in the way MetInfo processes user‑supplied input within its template engine, allowing unauthenticated attackers to inject malicious PHP code and gain arbitrary command execution on the underlying server.

Threat actors are leveraging specially crafted HTTP requests that target the vulnerable endpoint, delivering payloads that spawn a reverse shell or download additional malware components. Once compromised, the affected servers are used as pivot points for lateral movement, data exfiltration, or to host malicious scripts for subsequent attacks. Early indicators of compromise (IOCs) include unusual outbound connections on high ports, unexpected PHP processes, and the presence of obfuscated code within the CMS’s cache directories.

The flaw carries a CVSS score of 9.8, underscoring its severity and the potential for widespread damage if left unpatched. Organizations running MetInfo deployments are urged to apply the latest security update immediately, disable unused modules, and enforce strict file‑system permissions to limit write access for the web server process. Deploying Web Application Firewalls with rules that detect and block injection patterns associated with CVE‑2026‑29014 can provide an additional layer of defense while patches are rolled out.

Security teams should also monitor for IOCs such as newly created admin accounts, unexpected scheduled tasks, and anomalous network traffic originating from MetInfo servers. Continuous threat‑intel feeds and vulnerability‑scanning tools can help ensure that any newly exposed instances are identified and remediated before attackers can capitalize on the flaw.