A new report from VulnCheck reveals that CVE-2025-11953, a critical flaw in the Metro development server dubbed “Metro4Shell,” was being actively weaponized in the wild as early as late December 2025. The findings show a gap between attacker speed and defender awareness, with public discourse by late January dismissing the flaw as theoretical while it was already being used as a live intrusion vector.
VulnCheck’s canaries detected exploitation in late December and the telemetry indicated consistent payload delivery across multiple dates, not a one-off probe. Investigations traced the attacks to a cluster of infrastructure, with exploitation originating from IPs including 65.109.182[.]231, 223.6.249[.]141, and 134.209.69[.]155, and the payloads—named “windows” and “linux”—hosted on separate servers for multi-OS targeting.
The incident underlines that any internet-facing development tool can become production infrastructure the moment it is reachable, and it urges organisations to patch exposed Metro servers without waiting for KEV alerts.