TWO critical-severity flaws are being exploited in MetInfo and Weaver E-cology to execute arbitrary code remotely without authentication. In MetInfo, tracked as CVE-2026-29014 with a CVSS of 9.8, the issue arises from an unauthenticated PHP code injection path that accepts user input and allows remote code execution.
On Weaver E-cology, CVE-2026-22679 carries a CVSS of 9.3 and stems from exposed debug functionality that can be invoked via crafted POST requests to run commands; patches were released on 12 March 2026, with first exploitation observed less than a week later. According to VulnCheck, there are approximately 2,000 MetInfo CMS instances accessible from the internet, mainly in China, and the activity has included probing and payload delivery as attackers used the exposed endpoints.
The observed campaign shows attackers delivering various payloads and performing discovery commands, with the debug endpoint effectively acting as the shell, allowing concurrent payload delivery and discovery. Vega notes that the operators did not need a persistent shell because the debug endpoint serves as the shell, enabling rapid exploitation across affected systems.