TWO critical vulnerabilities in widely used web platforms are under active attack, allowing unauthenticated remote code execution on exposed servers. SecurityWeek reported that the flaws affect MetInfo CMS and Weaver E-cology, with thousands of internet‑facing instances mainly located in China. The flaws enable attackers to run arbitrary commands without needing any credentials, posing an immediate risk to organisations that have these systems reachable from the internet.
The MetInfo issue, tracked as CVE-2026-29014, is an unauthenticated PHP code injection that lets attackers send crafted requests to execute arbitrary code on the underlying system. The Weaver E-cology flaw, identified as CVE-2026-22679, stems from an exposed debug API endpoint at /papi/esearch/data/devops/dubboApi/debug/method that accepts interfaceName and methodName parameters to invoke command‑execution helpers. Both vulnerabilities carry a CVSS rating of 9.8, marking them as critical. Successful exploitation gives the attacker full control over the affected server, which can be used for further network movement or data theft.
The Weaver flaw affects versions released before the 12 March 2026 patch, with the first signs of exploitation seen on 17 March according to QiAnXin and later confirmed by Vega Research. Shadowserver Foundation noted probing activity as early as 31 March, indicating rapid uptake by attackers after the patch was released. For MetInfo, no official patch has been published yet, leaving approximately 2 000 internet‑accessible instances vulnerable to ongoing probe and payload delivery attempts as noted by VulnCheck. Attackers have been observed inserting web shells and executing system commands to gather information from compromised hosts.
Although no specific threat actor has been linked to the activity, the scanning patterns and payloads resemble opportunistic campaigns that target vulnerable web applications in the Asia‑Pacific region. Researchers observed attackers using the exposed endpoints to drop shells and execute commands for further lateral movement, a trend highlighted in BleepingComputer’s reporting on exploitation since March. The low complexity of the attack vectors means that even relatively unskilled actors can leverage these flaws, increasing the overall threat surface.
Administrators should immediately apply the Weaver E-cology patch released in March and consider disabling the debug API if it is not required for normal operations, a step highlighted in the patch advisory. Network defenders can also deploy web application firewall rules that block suspicious POST requests containing unusual interfaceName or methodName values and monitor logs for unexpected command output. For MetInfo, where a fix is not yet available, limiting external access to the CMS, enforcing strict input validation on PHP parameters and deploying temporary mitigations such as request filtering are advised. Regular credential reviews and privilege restriction on the affected systems can reduce the impact of a successful breach.
Conducting asset discovery to identify any internet‑facing MetInfo or Weaver instances helps prioritize patching and segmentation efforts. If immediate patching is not possible, isolating the affected servers behind a VPN or turning off the service until a fix is applied reduces the risk of compromise. Staying subscribed to threat intelligence feeds and vulnerability advisories ensures that new exploitation attempts are detected quickly. Maintaining up‑to‑date antivirus and endpoint detection tools adds another layer of defence against the payloads that these vulnerabilities tend to deliver.