"Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host. Details of the flaw were first documented by JFrog in November 2025. Despite more than a month after initial exploitation in the wild, the "activity has yet to see broad public acknowledgment," it added."
"In the attack detected against its honeypot network, the threat actors have weaponized the flaw to deliver a Base64-encoded PowerShell script that, once parsed, is configured to perform a series of actions, including Microsoft Defender Antivirus exclusions for the current working directory and the temporary folder ("C:\Users\<Username>\AppData\Local\Temp"). The PowerShell script also establishes a raw TCP connection to an attacker-controlled host and port ("8.218.43[.]248:60124") and sends a request to retrieve data, write it to a file in the temporary directory, and execute it. The downloaded binary is based in Rust, and features anti-analysis checks to hinder static inspection."
CVE-2025-11953 (Metro4Shell) is a critical vulnerability in the Metro Development Server within the @react-native-community/cli npm package that permits remote unauthenticated attackers to execute arbitrary operating system commands. Exploitation was observed beginning December 21, 2025, and the flaw was originally documented by JFrog in November 2025. Threat actors weaponized the flaw to deliver a Base64-encoded PowerShell script which creates Microsoft Defender exclusions for the working directory and the user temporary folder, establishes a raw TCP connection to 8.218.43[.]248:60124, retrieves a Rust-based binary into the temporary directory, and executes it. The Rust binary includes anti-analysis checks and delivered payloads were consistent across multiple weeks, indicating operational use rather than testing.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]