Cybersecurity researchers have identified active exploitation of a critical remote code execution vulnerability affecting the Metro Development Server used by the @react-native-community/cli npm package. The flaw allows unauthenticated attackers to execute arbitrary operating system commands on exposed systems.
The vulnerability, tracked as CVE-2025-11953 and commonly referred to as Metro4Shell, carries a CVSS severity score of 9.8. According to VulnCheck, real world exploitation was first observed on December 21, 2025. Technical details of the issue were initially published by JFrog in November 2025.
Despite confirmation that the vulnerability has been exploited in the wild for more than a month, VulnCheck noted that the activity has received little public attention so far.
During attacks detected within VulnCheck’s honeypot environment, threat actors leveraged the flaw to deploy a Base64 encoded PowerShell script. Once decoded and executed, the script performs multiple actions designed to establish persistence and evade detection.
One of the first steps involves adding Microsoft Defender Antivirus exclusions for both the active working directory and the system’s temporary folder located at
C:\Users<Username>\AppData\Local\Temp
The script then opens a raw TCP connection to an attacker controlled server at 8.218.43[.]248 on port 60124. Through this connection, it requests additional data, saves the received payload to the temporary directory, and executes it.
The downloaded payload is a Rust based binary equipped with multiple anti analysis techniques, making static inspection and reverse engineering more difficult for defenders.
VulnCheck identified the following IP addresses as sources of exploitation activity:
5.109.182[.]231
223.6.249[.]141
134.209.69[.]155
Researchers emphasized that the behavior does not appear experimental. Instead, the payloads and attack patterns remained consistent over several weeks, indicating deliberate and sustained operational use rather than proof of concept testing.
VulnCheck highlighted that the significance of CVE-2025-11953 lies not only in its severity, but in the broader lesson it reinforces. Development tools and infrastructure instantly become high value targets once they are accessible over the network, regardless of whether they were intended for production use.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
