Critical MetInfo and Weaver E-cology Flaws Under Active Exploitation — Unauthenticated RCE Targeting Chinese Enterprise Infrastructure

Two critical vulnerabilities in widely deployed Chinese enterprise software are under active exploitation, with threat actors leveraging unauthenticated remote code execution flaws in MetInfo CMS and Weaver E-cology to compromise servers without requiring any credentials.

CVE-2026-29014 (CVSS 9.8) affects MetInfo, a PHP and MySQL-based enterprise content management system popular for its SEO optimization capabilities. The flaw is a PHP code injection issue caused by insufficient neutralization of user-supplied input in the execution path. Attackers can send crafted requests containing PHP code to achieve remote code execution and fully take over vulnerable servers. VulnCheck warned that exploitation began last week with limited automated probing before surging over the weekend, with activity concentrated on deployments in Singapore. Approximately 2,000 MetInfo instances are accessible from the internet, primarily in China.

CVE-2026-22679 (CVSS 9.8) targets Weaver E-cology, an enterprise office automation and collaboration platform used across Chinese organizations to manage workflows, portals, projects, and communications. The vulnerability resides in an exposed debug endpoint at /papi/esearch/data/devops/dubboApi/debug/method that allows attackers to craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and run arbitrary commands.

Patches for the Weaver flaw shipped on March 12, and the first exploitation was observed just five days later on March 17. The Vega Research Team documented the full intrusion timeline: RCE verification, three failed payload delivery attempts, a pivot to an MSI implant disguised as "fanwei0324.msi" (using the romanized Chinese name for Weaver to appear benign), and attempts to retrieve PowerShell payloads from attacker-controlled infrastructure. The attackers ran standard discovery commands — whoami, ipconfig, tasklist — throughout the campaign.

What makes the Weaver exploitation particularly notable is that the debug endpoint itself functions as a persistent shell. The operator never needed to deploy a backdoor — every command was a different POST body to the same endpoint, with strict request/response semantics. This meant payload delivery and discovery could happen concurrently through a single access point.

The Shadowserver Foundation independently observed the first signs of active Weaver exploitation on March 31, and Chinese security vendor QiAnXin confirmed successful reproduction of the RCE on March 17.

Mitigation:

Organizations running MetInfo CMS should apply patches for CVE-2026-29014 immediately and audit web-accessible instances for signs of PHP code injection. With only 2,000 internet-facing instances, the attack surface is concentrated but the exploitation is active. Weaver E-cology operators must update to versions released after March 12 — the debug endpoint is trivially exploitable and requires no authentication. A Python-based detection script for identifying vulnerable Weaver instances is available on GitHub from security researcher Kerem Oruc. Monitor for unexpected POST requests to the dubboApi/debug/method endpoint and review server logs for discovery command execution. Both vulnerabilities require no authentication, making internet-facing deployments the immediate priority.