Executive Summary

A critical remote code execution (RCE) vulnerability, designated Metro4Shell (CVE-2025-11953), has been discovered and is being actively exploited in the wild. This flaw impacts the Metro Development Server within the React Native CLI npm package, a foundational tool in the JavaScript and mobile application development ecosystem. The vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on affected systems via a network-exposed endpoint, leading to full system compromise. Exploitation has resulted in the deployment of sophisticated, multi-stage malware, including Rust-based binaries, across both Windows and Linux environments. The rapid weaponization of public proof-of-concept (PoC) code and the operational use of this exploit by threat actors underscore the urgent need for immediate remediation.

Threat Actor Profile

Current intelligence indicates that exploitation of the Metro4Shell vulnerability is being conducted by financially motivated cybercriminals and initial access brokers rather than advanced persistent threat (APT) groups. The observed tactics, techniques, and procedures (TTPs) are consistent with those used by actors seeking to monetize access through ransomware, data theft, or sale of compromised assets. The infrastructure leveraged in these attacks, including command-and-control (C2) servers and payload distribution hosts, is shared across multiple campaigns, suggesting a commoditized approach to exploitation. No definitive attribution to a specific threat group has been established as of this report, but the operational tempo and technical sophistication indicate a well-resourced adversary with experience in exploiting software supply chain vulnerabilities.

Technical Analysis of Malware/TTPs

The Metro4Shell vulnerability arises from insufficient input validation on the /open-url endpoint of the Metro Development Server. By sending a specially crafted POST request containing a malicious payload in the url parameter, attackers can trigger arbitrary command execution on the underlying host. The attack chain typically begins with the delivery of a base64-encoded PowerShell or bash command, which disables local security controls (such as Microsoft Defender), establishes outbound connections to attacker-controlled infrastructure, and downloads a secondary Rust-based binary payload.

The Windows variant of the malware is a UPX-packed Rust executable, designed to evade static analysis and signature-based detection. Upon execution, it attempts to establish persistence, exfiltrate system information, and maintain a covert channel with the C2 server. The Linux variant exhibits similar functionality, leveraging bash scripts for initial access and subsequent deployment of the Rust binary. Both payloads employ anti-analysis techniques, including obfuscated command-line arguments and runtime checks for virtualized environments.

Network indicators associated with these campaigns include connections to IP addresses such as 65.109.182.231, 223.6.249.141, 134.209.69.155, 8.218.43.248, and 47.86.33.195. File-based indicators include SHA-256 hashes d8337df3aff749250557bf11daf069eb404cce0e6f4f91c6bd6d3f78aed6e9d6 (packed Windows payload), 7ecbb0cc88dfa5f187c209a28bd25e8e2d5113bb898a91ae273bca5983130886 (unpacked Windows payload), d1886b189474b02467ed2845df0938cec9785e99c3d4b04e0b7de3cafbee4182 (packed Linux payload), and 6686d4baa9d483da27ba84dab85e96e42b790b608571de7bcb07a1fd7c975fe3 (unpacked Linux payload).

The exploitation process leverages MITRE ATT&CK techniques such as T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter), T1562.001 (Disable or Modify Tools), T1105 (Ingress Tool Transfer), and T1071.001 (Web Protocols).

Exploitation in the Wild

Active exploitation of Metro4Shell was first observed by VulnCheck on December 21, 2025, mere days after public disclosure and the release of PoC code on GitHub. Attackers have demonstrated operational maturity, conducting sustained campaigns rather than isolated testing. The exploitation is not limited to opportunistic scanning; rather, it involves targeted delivery of multi-stage payloads, indicating a clear intent to establish persistent access and monetize compromised assets.

The attack surface is significantly expanded by the common practice of exposing Metro Development Server instances to the public internet for development and testing purposes. Organizations running unpatched versions of the React Native CLI or failing to restrict network access to the Metro server are at heightened risk. The trivial nature of exploitation, combined with the availability of automated tools, has led to a surge in successful intrusions across diverse industry verticals.

Victimology and Targeting

Victims of the Metro4Shell exploit are predominantly organizations and individuals involved in JavaScript and mobile application development, particularly those utilizing the React Native CLI in CI/CD pipelines, development environments, or cloud-based build systems. The cross-platform nature of the attack enables threat actors to compromise both Windows and Linux hosts, increasing the potential impact.

Targeted entities include technology companies, software development agencies, and enterprises with exposed development infrastructure. The presence of the vulnerability in widely used npm packages amplifies the risk of supply chain compromise, potentially affecting downstream customers and partners. The lack of authentication on the vulnerable endpoint means that any internet-exposed instance is susceptible, regardless of organizational size or sector.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by Metro4Shell. Organizations must upgrade to the latest patched versions of the React Native CLI and Metro Development Server as detailed in the official vendor advisory. Specifically, patched versions include 20.0.0, 19.1.2, and 18.0.1 of the relevant npm packages. It is imperative to audit all development and CI/CD environments for the presence of vulnerable versions and to apply updates without delay.

Network access to the Metro Development Server should be strictly limited to trusted internal hosts. Exposing the server to the public internet is strongly discouraged. Security teams should implement monitoring for anomalous POST requests to the /open-url endpoint and outbound connections to known malicious IP addresses. Endpoint detection and response (EDR) solutions should be configured to alert on PowerShell or bash execution patterns consistent with the described attack chain, as well as the presence of the identified file hashes.

Incident response teams are advised to conduct retrospective analysis for signs of compromise, including disabled security controls, unauthorized network connections, and execution of unknown binaries. Organizations should also review their software supply chain security practices to prevent similar vulnerabilities from being introduced or exploited in the future.

References

VulnCheck Blog: Metro4Shell Exploitation in the WildJFrog Blog: CVE-2025-11953 Critical React Native Community CLI VulnerabilityNVD: CVE-2025-11953GitHub Advisory Database: GHSA-399j-vxmf-hjvrReact Native CLI Release NotesBleepingComputer: Hackers exploit critical React Native Metro bugSecurityWeek: Critical React Native Vulnerability Exploited in the WildReddit: Hackers Target Metro4Shell RCE FlawTwitter: AdliceSoftware on Metro4Shell

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure the resilience of critical business operations. For more information about how Rescana can help safeguard your organization, or for any questions regarding this advisory, please contact us at ops@rescana.com.