Cyber Security News

Critical React Native Vulnerability Exploited in the Wild

CybersecurityNews
Critical React Native Vulnerability Exploited in the Wild

VulnCheck has observed in-the-wild exploitation of a critical React Native Community CLI vulnerability tracked as CVE-2025-11953, nicknamed Metro4Shell. Attackers are remotely exploiting internet-exposed Metro development servers to deliver a PowerShell loader that disables Microsoft Defender and retrieves a Rust payload targeting Windows and Linux. #Metro4Shell #CVE-2025-11953

Keypoints

  • CVE-2025-11953 (Metro4Shell) is a critical vulnerability in the @react-native-community/cli with a 9.8 CVSS score.
  • VulnCheck observed active exploitation beginning December 21 and continuing through January against exposed Metro instances.
  • Metro can bind to external interfaces, allowing unauthenticated remote OS command execution via simple POST requests.
  • Attackers deploy a multi-stage PowerShell loader that disables Microsoft Defender, opens a raw TCP connection, and fetches a payload.
  • The final payload is written in Rust, includes anti-analysis logic, targets both Windows and Linux, and threatens thousands of exposed React Native servers.

Read More: https://www.securityweek.com/critical-react-native-vulnerability-exploited-in-the-wild/