A critical vulnerability on the Metro development server, used by many React Native-based applications, is being exploited in real environments and poses a hard reminder for those who manage development infrastructure. The failure, recorded as CVE-2025-11953 and called Metro4Shell, allows remote attackers without authentication to run arbitrary commands on the system hosting the server.
The most recent public research appeared when the cyber security firm VulnCheck documented attempts at exploitation detected from 21 December 2025. Before that, security researchers had already described the problem by the end of November - including reports from security companies - but the activity observed in VulnCheck's honeypots network shows that there were no isolated experiments: the payloads delivered were consistently repeated, indicating operations beyond a simple test of concept.
The technical gravity of the failure is high: the associated CVSS score is 9.8. This reflects that the attack can be triggered remotely and without credentials, with the ability to run code on the affected host. Metro, the development package and server used by the React Native ecosystem, is included in several development workflows, and when these instances are accessible from unreliable networks they become behaving as production systems from the point of view of the attacker.
In the incidents analyzed, the attackers used vulnerability to deploy a Power Shell script encoded in Base64. This script performs several hostile actions: it suppresses detection by adding exclusions to Microsoft Defender for the current work directory and the user's time folder ( C:\ Users\\ AppData\ Local\ Temp), establishes a direct TCP connection to a server controlled by the attacker and requests a binary that writes in the temporary folder and then runs.
The unloaded binary, whose preliminary analysis is available in VirusTotal, is implemented in Rust and contains mechanisms to make it difficult for you to analyze static, which complicates the work of detection and response. The outgoing connections observed in the intrusions pointed to specific IP addresses associated with the campaign, and the recurrence of the same artifacts and channels suggests that this is an organized and sustained operation.
This episode puts a simple but frequent lesson on the table: development infrastructure is no longer "development only" when it is accessible from external networks. An exposed Metro server can become a gateway with serious consequences, regardless of whether its original purpose is to test interfaces or compile packages locally.
For teams and managers the immediate priority must be to know the scope and apply corrections. Update the Metro and tool related packages and dependencies @ react-native-community / cli It's the first step. It is also advisable to review the configuration of networks and firewalls to prevent development ports from being publicly exposed, as well as to segment development and production networks to minimize impact if an instance is compromised. The code of the Metro itself is publicly available on GitHub where patches and related technical discussions can be consulted.
In addition to patching, it is appropriate to look for compromise indicators in development machines: check new exclusions in antivirus solutions, review the temporary folder in search of suspicious executables, and audit outgoing connections to the PIs that were linked to the campaign. If malicious activity is detected, the response should include isolation of the affected systems, forensic analysis and, where necessary, the clean reconstruction of the committed equipment and the revocation of potentially filtered credentials.
The security community has already shown previous examples where poorly configured development tools have been used by attackers. So, not enough to apply patches: it is essential to apply security principles in configuration and deployment. This is to avoid exposing development servers to the Internet, requiring access by VPN or safe tunnels when strictly necessary, and using authentication and access control mechanisms even in internal environments.
While initial technical disclosure arrived in November and active exploitation was observed in December 2025, the public visibility of these intrusions is not always immediate or broad. This can leave many organizations in uncertainty until consultants or specific reports bring the activity to light. Keeping yourself informed by reviewing reliable sources and security bulletins is key to responding quickly.
In short, the combination of critical vulnerability in a component widely used by developers and permissive deployment practices has allowed a campaign with remote running capacity and sophisticated malware delivery. The recommendations are clear: to park, to limit the exposure of development services, to audit and respond to signs of commitment, and to implement strict access controls. Following these steps significantly reduces the likelihood that a tool designed to facilitate development will end up being a path of attack.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...