Menace actors have individually began exploiting two critical-severity vulnerabilities in MetInfo and Weaver E-cology that permit them to execute arbitrary code remotely, with out authentication.
MetInfo is an enterprise content material administration system (CMS) that depends on PHP and MySQL and offers numerous website positioning optimization capabilities.
Tracked as CVE-2026-29014 (CVSS rating of 9.8) and disclosed in early April, the now-exploited vital flaw in MetInfo is described as an unauthenticated PHP code injection subject.
The difficulty exists as a result of the execution path insufficiently neutralizes user-supplied enter, permitting attackers to ship crafted requests containing PHP code, obtain distant code execution (RCE), and take over susceptible servers.
On Monday, VulnCheck warned that menace actors began exploiting the CVE final week. Initially restricted and certain related to automated probing, the exploitation surged over the weekend, specializing in deployments in Singapore.
In line with VulnCheck, there are roughly 2,000 MetInfo CMS cases accessible from the web, primarily in China.
Weaver E-cology, which can be predominantly utilized in China, is an workplace automation and collaboration resolution that permits organizations to handle portals, workflows, information, initiatives, shoppers, property, communications, and extra.
The exploited bug, tracked as CVE-2026-22679 (CVSS rating of 9.3), exists as a result of uncovered debug performance could be invoked by way of crafted POST requests to execute arbitrary instructions.
Patches for the unauthenticated RCE weak spot have been launched on March 12, and the primary exploitation makes an attempt have been noticed lower than per week later, Vega stories.
As a part of the noticed exercise, the attackers probed the vulnerability by way of ping callbacks, then tried to ship numerous payloads. In the end, the attackers executed discovery instructions, utilizing the uncovered debug endpoint as a shell.
“The operator by no means wanted a persistent shell: the debug endpoint is the shell, with strict request/response semantics. That is additionally why payload supply and discovery may occur concurrently: each are completely different POST our bodies to the identical endpoint,” Vega notes.
