9.8
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular "@react-native-community/cli" npm package.
Cybersecurity company **VulnCheck**said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host. Details of the flaw were first documented by **JFrog** in November 2025.
Despite more than a month after initial exploitation in the wild, the "activity has yet to see broad public acknowledgment," it added.
In the attack detected against its honeypot network, the threat actors have weaponized the flaw to deliver a Base64-encoded PowerShell script that, once parsed, is configured to perform a series of actions, including Microsoft Defender Antivirus exclusions for the current working directory and the temporary folder ("C:\Users\<Username>\AppData\Local\Temp").
The PowerShell script also establishes a raw TCP connection to an attacker-controlled host and port ("8.218.43[.]248:60124") and sends a request to retrieve data, write it to a file in the temporary directory, and execute it. The downloaded binary is based in Rust, and features anti-analysis checks to hinder static inspection.
The attacks have been found to originate from the following IP addresses -
* 5.109.182[.]231
* 223.6.249[.]141
* 134.209.69[.]155
Describing the activity as neither experimental nor exploratory, VulnCheck said the delivered payloads were "consistent across multiple weeks of exploitation, indicating operational use rather than vulnerability probing or proof-of-concept testing."
"CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent."
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular "@react-native-community/cli" npm package.
Cybersecurity company **VulnCheck**said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host. Details of the flaw were first documented by **JFrog** in November 2025.
Despite more than a month after initial exploitation in the wild, the "activity has yet to see broad public acknowledgment," it added.
In the attack detected against its honeypot network, the threat actors have weaponized the flaw to deliver a Base64-encoded PowerShell script that, once parsed, is configured to perform a series of actions, including Microsoft Defender Antivirus exclusions for the current working directory and the temporary folder ("C:\Users\<Username>\AppData\Local\Temp").
The PowerShell script also establishes a raw TCP connection to an attacker-controlled host and port ("8.218.43[.]248:60124") and sends a request to retrieve data, write it to a file in the temporary directory, and execute it. The downloaded binary is based in Rust, and features anti-analysis checks to hinder static inspection.
The attacks have been found to originate from the following IP addresses -
* 5.109.182[.]231
* 223.6.249[.]141
* 134.209.69[.]155
Describing the activity as neither experimental nor exploratory, VulnCheck said the delivered payloads were "consistent across multiple weeks of exploitation, indicating operational use rather than vulnerability probing or proof-of-concept testing."
"CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent."
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Basic Information
ID
THN:55641F71FC596A01C2193202FEEF23B7
Published
Feb 3, 2026 at 14:00
Modified
Feb 3, 2026 at 14:06