Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hackers abused React Native CLI flaw to deploy Rust malware before public disclosure

Hackers exploit a critical React Native CLI flaw (CVE-2025-11953) to run remote commands and drop stealthy Rust malware, weeks before public disclosure. Attackers are actively exploiting a critical flaw in the React Native CLI Metro server, tracked as CVE-2025-11953. The React Native CLI’s Metro dev server binds to external interfaces by default and exposes a […]

CVE-2026-39987: Marimo RCE

Hackers exploit a critical React Native CLI flaw (CVE-2025-11953) to run remote commands and drop stealthy Rust malware, weeks before public disclosure.

Attackers are actively exploiting a critical flaw in the React Native CLI Metro server, tracked as CVE-2025-11953. The React Native CLI’s Metro dev server binds to external interfaces by default and exposes a command injection flaw. Unauthenticated attackers can send POST requests to execute arbitrary programs, and on Windows can also run shell commands with fully controlled arguments.

“The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables.” reads the advisory. “On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.”

Metro is the JavaScript bundler and dev server used by React Native. By default it can expose an endpoint that lets unauthenticated attackers run OS commands on Windows.

VulnCheck researchers observed consistent, real-world attacks weeks before broad disclosure.

VulnCheck spotted real-world exploitation of CVE-2025-11953 (Metro4Shell) on December 21, 2025, and again in January, showing attackers kept using it. Despite this, the activity still lacks broad public attention and carries a low EPSS score. The gap is risky, since the flaw is easy to exploit and many exposed servers remain online.

“Now, more than a month after initial exploitation in the wild, that activity has yet to see broad public acknowledgment, and EPSS continues to assign a low exploitation probability of 0.00405.” reads the advisory published by VulnCheck. “This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide search data shows, exposed on the public internet.”

VulnCheck found active, sustained exploitation of CVE-2025-11953, showing it was used operationally rather than for testing. Attackers delivered a multi-stage, base64-encoded PowerShell loader via cmd.exe, disabled Microsoft Defender protections, fetched payloads over raw TCP, and executed a downloaded binary. The malware was a UPX-packed Rust payload with basic anti-analysis features.

The experts noted that attacks reused the same infrastructure and techniques for weeks. VulnCheck warns the lack of public acknowledgment risks leaving defenders unprepared, as exploitation often begins well before official recognition.

Below is the Network Infrastructure involved in the attacks:

IndicatorObserved Role
65.109.182.231Exploitation source
223.6.249.141Exploitation source
134.209.69.155Exploitation source
8.218.43.248Payload host (Windows)
47.86.33.195Payload host (Windows and Linux)

“CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, React Native CLI)