Ethical Hacking News
A new chapter in supply chain security threats has emerged with the exploitation of Metro4Shell, allowing remote unauthenticated attackers to execute arbitrary operating system commands on underlying hosts. Learn more about this critical vulnerability and its implications for organizations.
The vulnerability CVE-2025-11953, also known as Metro4Shell, allows remote unauthenticated attackers to execute arbitrary operating system commands. The attack uses a Base64-encoded PowerShell script that is configured to perform a series of actions, including excluding Microsoft Defender Antivirus and establishing a raw TCP connection. The attacks originate from specific IP addresses and have been found to be consistent across multiple weeks, indicating operational use rather than vulnerability probing or proof-of-concept testing. Organizations must take proactive steps to secure their infrastructure and protect against such threats by regular software updates, monitoring for unusual network activity, and implementing robust security controls.
The cybersecurity landscape is ever-evolving, with new threats emerging daily. One such threat that has gained significant attention in recent times is the exploitation of CVE-2025-11953, also known as Metro4Shell. This vulnerability, discovered in the "@react-native-community/cli" npm package, allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host.
According to VulnCheck, a cybersecurity company that first observed the exploitation of this vulnerability on December 21, 2025, with a CVSS score of 9.8, the attack has been detected against its honeypot network. The threat actors have weaponized the flaw to deliver a Base64-encoded PowerShell script that, once parsed, is configured to perform a series of actions.
The first action performed by the PowerShell script is the exclusion of Microsoft Defender Antivirus from the current working directory and the temporary folder ("C:\Users\\AppData\Local\Temp"). This allows the attackers to avoid detection by antivirus software. Following this, the script establishes a raw TCP connection to an attacker-controlled host and port ("8.218.43[.]248:60124") and sends a request to retrieve data, write it to a file in the temporary directory, and execute it.
The downloaded binary is based in Rust, and features anti-analysis checks to hinder static inspection. The attacks have been found to originate from the following IP addresses:
5.109.182[.]231
223.6.249[.]141
134.209.69[.]155
VulnCheck described the activity as neither experimental nor exploratory, stating that the delivered payloads were "consistent across multiple weeks of exploitation, indicating operational use rather than vulnerability probing or proof-of-concept testing."
This highlights the importance of timely patching and monitoring in supply chain security threats. As JFrog noted in November 2025, the details of the flaw were first documented by them. However, despite more than a month after initial exploitation in the wild, "the activity has yet to see broad public acknowledgment," adding emphasis to the need for swift action.
In light of this, organizations must take proactive steps to secure their infrastructure and protect against such threats. This includes regular software updates, monitoring for unusual network activity, and implementing robust security controls.
Furthermore, it is essential to recognize that development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent. As VulnCheck aptly put it, "CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn."
This serves as a stark reminder of the ever-evolving nature of cybersecurity threats and the need for continuous vigilance.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Exploitation-of-Metro4Shell-A-New-Chapter-in-Supply-Chain-Security-Threats-ehn.shtml
https://thehackernews.com/2026/02/hackers-exploit-metro4shell-rce-flaw-in.html
https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/
Published: Tue Feb 3 14:20:28 2026 by llama3.2 3B Q4_K_M
