CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical unauthenticated RCE flaws in MetInfo and Weaver E-cology exploited in the wild

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Threat actors are exploiting two critical unauthenticated remote code execution (RCE) vulnerabilities in widely deployed enterprise software: MetInfo CMS (CVE-2026-29014, CVSS 9.8) and Weaver E-cology (CVE-2026-22679, CVSS 9.3). MetInfo exploitation has surged since May 1, 2026, focusing on approximately 2,000 internet-facing instances primarily in China, with initial activity detected on April 25 against honeypots in the U.S. and Singapore. The flaw stems from insufficient input sanitization in the Weixin API request path, enabling unauthenticated PHP code injection and full server compromise via crafted requests. Patches were released on April 7, 2026. Weaver E-cology exploitation continues via debug functionality abused for stateless command execution, observed within a week of patches released March 12, 2026.

Timeline

  1. 05.05.2026 12:27 2 articles · 17h ago

    Critical unauthenticated RCE vulnerabilities in MetInfo and Weaver E-cology exploited in the wild

    Threat actors are actively exploiting CVE-2026-29014 in MetInfo CMS (CVSS 9.8) and CVE-2026-22679 in Weaver E-cology (CVSS 9.3) to achieve unauthenticated remote code execution. MetInfo exploitation surged significantly on May 1, 2026, focusing on approximately 2,000 internet-facing instances primarily located in China, with a geographic focus on Singapore and China/Hong Kong IP addresses. Attackers inject PHP code via crafted requests exploiting insufficient input neutralization in the Weixin API request path, gaining full server control. The prerequisite for successful exploitation on non-Windows servers is the existence of the "/cache/weixin/" directory, created during official WeChat plugin installation. Patches for MetInfo were released on April 7, 2026, with exploitation detected as early as April 25 against honeypots in the U.S. and Singapore. Weaver E-cology exploitation abuses exposed debug functionality via crafted POST requests, enabling command execution without authentication. Attackers use the endpoint as a stateless shell for concurrent discovery and payload delivery, with exploitation observed within a week of patch release on March 12, 2026.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Unauthenticated RCE Vulnerability in Apache ActiveMQ Classic via Jolokia API (CVE-2026-34197)

CVE-2026-34197, an unauthenticated RCE vulnerability in Apache ActiveMQ Classic via the Jolokia API, remains actively exploited with at least 6,400 exposed servers vulnerable. The flaw affects versions prior to 5.19.4 and 6.0.0 to 6.2.3, with patched releases issued on March 30, 2026. Discovered by Horizon3’s Naveen Sunkavally using AI assistance, the vulnerability chain enables attackers to execute arbitrary OS commands by abusing the Jolokia API’s addNetworkConnector function. CISA added the flaw to its Known Exploited Vulnerabilities Catalog on April 16, 2026, and ordered FCEB agencies to remediate by April 30, 2026 under BOD 22-01. Exploitation indicators include broker logs showing vm:// transport connections with brokerConfig=xbean:http:// query parameters and configuration warnings. Shadowserver reports over 7,500 exposed ActiveMQ servers, with recent data showing 6,400 still vulnerable, concentrated in Asia, North America, and Europe.

Open in new tab

Metro4Shell RCE Flaw Exploited in React Native CLI npm Package

Threat actors are actively exploiting a critical remote code execution (RCE) flaw (CVE-2025-11953, CVSS 9.8) in the Metro Development Server within the @react-native-community/cli npm package, enabling unauthenticated OS command execution. Exploits deliver a PowerShell script that disables Microsoft Defender exclusions and downloads a Rust-based binary with anti-analysis features from an attacker-controlled host. The attacks, first observed on December 21, 2025, originate from multiple IP addresses and indicate operational use rather than experimental probing. A separate campaign is exploiting React2Shell (CVE-2025-55182), a pre-authentication RCE flaw in React Server Components (RSCs) affecting Next.js applications, for large-scale credential theft. This campaign, attributed to UAT-10608, uses the NEXUS Listener automated tool to harvest credentials, SSH keys, cloud tokens, and environment secrets from at least 766 compromised hosts across multiple industries and regions. Attackers leverage automated scanning to identify vulnerable deployments and deploy NEXUS Listener for post-exploitation data collection and further malicious activity.

Open in new tab

Fortinet FortiWeb Vulnerabilities Exploited in the Wild

Fortinet has disclosed a new medium-severity vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited. This vulnerability, with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The flaw was patched in version 8.0.2. Additionally, Fortinet silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in the same version. Exploitation campaigns have been observed chaining these vulnerabilities to facilitate authentication bypass and command injection. Fortinet's handling of these disclosures has been criticized for its delayed and fragmented approach. This development highlights the ongoing risks associated with unpatched vulnerabilities in network security appliances and the importance of timely and transparent disclosure practices.

Open in new tab