Threat actors have separately started exploiting two critical-severity vulnerabilities in MetInfo and Weaver E-cology that allow them to execute arbitrary code remotely, without authentication.
MetInfo is an enterprise content management system (CMS) that relies on PHP and MySQL and provides various SEO optimization capabilities.
Tracked as CVE-2026-29014 (CVSS score of 9.8) and disclosed in early April, the now-exploited critical flaw in MetInfo is described as an unauthenticated PHP code injection issue.
The issue exists because the execution path insufficiently neutralizes user-supplied input, allowing attackers to send crafted requests containing PHP code, achieve remote code execution (RCE), and take over vulnerable servers.
On Monday, VulnCheck warned that threat actors started exploiting the CVE last week. Initially limited and likely associated with automated probing, the exploitation surged over the weekend, focusing on deployments in Singapore.
According to VulnCheck, there are approximately 2,000 MetInfo CMS instances accessible from the internet, mainly in China.
Weaver E-cology, which is also predominantly used in China, is an office automation and collaboration solution that enables organizations to manage portals, workflows, knowledge, projects, clients, assets, communications, and more.
The exploited bug, tracked as CVE-2026-22679 (CVSS score of 9.3), exists because exposed debug functionality can be invoked via crafted POST requests to execute arbitrary commands.
Patches for the unauthenticated RCE weakness were released on March 12, and the first exploitation attempts were observed less than a week later, Vega reports.
As part of the observed activity, the attackers probed the vulnerability via ping callbacks, then attempted to deliver various payloads. Ultimately, the attackers executed discovery commands, using the exposed debug endpoint as a shell.
“The operator never needed a persistent shell: the debug endpoint is the shell, with strict request/response semantics. This is also why payload delivery and discovery could happen concurrently: both are different POST bodies to the same endpoint,” Vega notes.
Related: Exploitation of ‘Copy Fail’ Linux Vulnerability Begins
Related: Over 40,000 Servers Compromised in Ongoing cPanel Exploitation
Related: SonicWall Urges Immediate Patching of Firewall Vulnerabilities
Related: Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure
