Zero-Day Surge: The MetInfo CMS Flaw That Grants Unauthenticated Root Access to Servers

A zero-day vulnerability residing within the Chinese content management system MetInfo has entered a phase of active exploitation mere days after its discovery. Over the past week, researchers at VulnCheck have documented an initial series of attempts to leverage CVE-2026-29014—a formidable flaw facilitating unauthenticated remote PHP code injection. This wave of hostility has precipitously escalated from isolated incidents into an expansive, automated scanning campaign.

According to VulnCheck telemetry, the inaugural assaults on vulnerable servers manifested on April 25, during which adversaries probed a limited selection of systems in the United States and Singapore. Traffic analysis revealed a quintessential automated offensive paradigm: the systematic identification of accessible MetInfo CMS instances followed by attempted malicious code injection.

While the activity remained sporadic through late April, a dramatic surge in exploitation was observed on May 1. The brunt of this offensive was directed at Singapore-based nodes within the VulnCheck Canary network, with the provenance of these attacks traced to IP addresses associated with China and Hong Kong.

MetInfo CMS is a prominent open-source content management framework widely utilized within China. VulnCheck estimates that approximately two thousand instances of the platform are accessible via the public web, with the vast majority situated in the People’s Republic of China. The industrial scale of the current scanning suggests a concerted effort to identify the maximum number of susceptible servers prior to the dissemination of patches and defensive remediations.

The critical nature of CVE-2026-29014 is underscored by the fact that it permits PHP code injection without the necessity of authentication. A successful compromise grants an assailant total dominion over the target website, enabling the subverted server to be weaponized for subsequent incursions.

VulnCheck has incorporated intelligence regarding this exploitative activity into its proprietary Known Exploited Vulnerabilities (KEV) catalog, which meticulously tracks the real-world utilization of critical defects in active cyber-offensives.