"The critical flaw in MetInfo, tracked as CVE-2026-29014, is described as an unauthenticated PHP code injection issue, allowing attackers to achieve remote code execution."
"Weaver E-cology's exploited bug, CVE-2026-22679, exists because exposed debug functionality can be invoked via crafted POST requests to execute arbitrary commands."
"Patches for the unauthenticated RCE weakness in both MetInfo and Weaver E-cology were released, but exploitation attempts were observed shortly after."
Two critical vulnerabilities in MetInfo and Weaver E-cology have been exploited by threat actors, allowing remote code execution without authentication. MetInfo's flaw, CVE-2026-29014, involves unauthenticated PHP code injection due to insufficient input neutralization. Weaver E-cology's vulnerability, CVE-2026-22679, arises from exposed debug functionality that can execute arbitrary commands. Patches were released for both vulnerabilities, but exploitation attempts began shortly after. The attacks have primarily targeted instances in China, with significant activity observed in Singapore.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]