Ethical Hacking News
Cybersecurity experts have exposed a critical vulnerability in the React Native CLI that allows attackers to deploy Rust malware before public disclosure. The flaw, tracked as CVE-2025-11953, has significant implications for organizations relying on development tools that are not properly secured. This article provides an in-depth analysis of the exploit and highlights the importance of maintaining up-to-date software ecosystems.
Cybersecurity experts have identified a critical vulnerability (CVE-2025-11953) in the React Native CLI. The flaw allows unauthenticated attackers to execute arbitrary shell commands on Windows-based systems. The exploit involves sending a POST request to the Metro dev server, which is exposed by default in the React Native CLI. The lack of public acknowledgment of this vulnerability poses a significant risk for defenders. Developers and organizations should follow best practices for securing development tools and infrastructure to stay safe from such threats.
Cybersecurity experts have recently exposed a critical vulnerability in the React Native CLI, a development tool widely used for building mobile applications. The flaw, tracked as CVE-2025-11953, was discovered by researchers at VulnCheck and allows unauthenticated attackers to execute arbitrary shell commands on Windows-based systems.
According to VulnCheck, the exploit involves sending a POST request to the Metro dev server, which is exposed by default in the React Native CLI. This allows attackers to inject malicious code, potentially leading to the deployment of malware or other malicious payloads. The researchers observed consistent real-world attacks weeks before broad disclosure and found that the attack vector was actively used operationally rather than for testing.
The attackers used a multi-stage approach to deploy their Rust-based malware, which included a base64-encoded PowerShell loader via cmd.exe, disabling Microsoft Defender protections, fetching payloads over raw TCP, and executing a downloaded binary. The malware itself was UPX-packed, indicating that it had been compressed using the UPX utility to reduce its size.
The researchers noted that the lack of public acknowledgment of this vulnerability posed a significant risk, as exploitation often begins well before official recognition. By not publicly disclosing the vulnerability immediately, defenders may be left unprepared, making them more vulnerable to attacks.
Furthermore, VulnCheck highlighted that the critical React Native CLI flaw reinforced a pattern of development infrastructure becoming production infrastructure once it is accessible to unauthorized individuals or groups. This warning serves as a cautionary tale for developers and organizations that rely on development tools and platforms that are not properly secured.
The React Native CLI vulnerability highlights the importance of maintaining an up-to-date and secure software ecosystem, particularly in environments where development tools are exposed to external networks or untrusted sources.
To stay safe from such threats, it is essential to follow best practices for securing development tools and infrastructure, including regular software updates, secure configuration, and network segmentation. By taking proactive measures to address vulnerabilities like CVE-2025-11953, organizations can reduce their exposure to potential attacks and minimize the risk of data breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-Critical-React-Native-CLI-Flaw-to-Deploy-Rust-Malware-Before-Public-Disclosure-ehn.shtml
https://securityaffairs.com/187587/hacking/hackers-abused-react-native-cli-flaw-to-deploy-rust-malware-before-public-disclosure.html
https://thehackernews.com/2026/02/hackers-exploit-metro4shell-rce-flaw-in.html
https://nvd.nist.gov/vuln/detail/CVE-2025-11953
https://www.cvedetails.com/cve/CVE-2025-11953/
https://www.vulncheck.com/blog/understanding-apts
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
Published: Tue Feb 3 15:00:37 2026 by llama3.2 3B Q4_K_M
