CVE-2026-29014: MetInfo RCE Flaw Actively Exploited

Severity: CRITICAL - Active Exploitation Confirmed

CVE-2026-29014 | CVSS Score: 9.8 | Status: Actively Exploited in the Wild

The Threat

Threat actors are actively exploiting CVE-2026-29014, a critical code injection vulnerability in MetInfo CMS, a widely used open-source content management system. Discovered and reported by VulnCheck, the flaw allows an unauthenticated attacker to inject and execute arbitrary code on the host server remotely - with no login credentials required.

With a CVSS score of 9.8 out of 10, this vulnerability sits at the top tier of severity. Active exploitation has already been confirmed, meaning attackers are not waiting. Proof-of-concept code is likely circulating in underground forums, significantly lowering the barrier for less sophisticated threat actors to weaponize this flaw.

MetInfo CMS is used extensively across government agencies, public-sector portals, and commercial organizations in developing markets - including across East Africa - due to its open-source nature and low deployment cost.

Impact Assessment for East Africa

East African organizations face a compounded risk from this vulnerability. Governments in Kenya, Ethiopia, Somalia, and Djibouti have expanded their digital footprint rapidly over the past five years, deploying citizen-facing web portals, e-government services, and revenue collection platforms - many of which run on open-source CMS platforms like MetInfo that are rarely updated on a consistent patch cycle.

For financial institutions operating under the Central Bank of Kenya (CBK) guidelines, the Bank of Tanzania, or the National Bank of Ethiopia, a successful RCE exploit means a complete server compromise - potentially exposing customer PII, transaction data, and internal network access. This directly triggers Kenya Data Protection Act 2019 breach notification obligations and CBK incident reporting requirements.

For government ministries and parastatals, a compromised web server is a foothold into broader internal networks. Attackers can pivot from a public-facing CMS to internal HR systems, procurement databases, and sensitive citizen data repositories. In the Horn of Africa threat landscape, state-sponsored actors and financially motivated criminal groups both have established interest in these targets.

Critical infrastructure operators - including power utilities and telecoms - that use MetInfo for their public portals or intranet systems face operational disruption risk if an attacker deploys ransomware or a destructive payload following initial access.

Immediate Actions - Do These Now

• Audit your CMS inventory today. Identify every instance of MetInfo CMS running in your environment, including staging and development servers, which are often overlooked and equally exploitable.
• Apply the vendor patch immediately. Check the official MetInfo repository for the latest patched release and deploy it to all affected instances without delay. Do not wait for a scheduled maintenance window given active exploitation.
• Isolate exposed instances. If patching cannot happen immediately, place the affected server behind a Web Application Firewall (WAF) and restrict public access to essential endpoints only. Block suspicious POST requests to CMS administrative paths.
• Scan for indicators of compromise (IOCs). Review web server logs for anomalous requests, unexpected new files, unusual outbound connections, or new user accounts created on the host. Treat any anomaly as a potential active breach.
• Enforce least-privilege and network segmentation. Ensure your web server does not have unrestricted access to internal network resources. A compromised CMS should not be a direct gateway to your database servers or internal systems.

DRONGO Recommendation

DRONGO's SOC team is actively monitoring threat feeds for CVE-2026-29014 exploitation attempts targeting East African infrastructure. Our web application penetration testing and vulnerability assessment services can confirm your exposure within 24 hours, and our incident response team is on standby for organizations that suspect active compromise.

Is your organization protected? Request a free security assessment.