MALWARE & THREATS Critical React Native Vulnerability Exploited in the Wild Albeit mainly considered a theoretical risk, the flaw has been exploited to disable protections and deliver malware. By Ionut Arghire | February 3, 2026 (9:00 AM ET) Flipboard Reddit Whatsapp Email Threat actors have been exploiting a critical-severity React Native vulnerability in attacks since late December, VulnCheck warns. Tracked as CVE-2025-11953 (CVSS score of 9.8) and disclosed in early November, the bug impacts the highly popular React Native Community CLI NPM package (@react-native-community/cli), which has roughly two million weekly downloads. It is part of the React Native Community CLI project, which was extracted from the open source framework for improved maintainability, and provides a set of command-line tools for app building. While CVE-2025-11953 and other vulnerabilities impacting development servers are typically exploitable only from the developer’s local machine, a second issue in React Native exposes the servers to external attackers, software supply chain security firm JFrog warned in November. Now, VulnCheck mirrors the warning after observing in-the-wild exploitation of the CVE, despite limited public attention. “As of late January, public discussion largely frames CVE-2025-11953 as a theoretical risk rather than an active intrusion vector. This disconnect is where defenders are most likely to be caught unprepared,” VulnCheck notes in a fresh report. ADVERTISEMENT. SCROLL TO CONTINUE READING. The vulnerability intelligence firm, which has named the bug Metro4Shell, observed initial exploitation attempts on December 21, followed by more activity on January 4 and 21, suggesting continuous operational use. Thousands of internet-accessible React Native instances could be at risk. “This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide search data shows, exposed on the public internet,” VulnCheck says. According to the company, the Metro4Shell React Native vulnerability resides within Metro, the JavaScript bundler and development server that React Native apps use in the development and testing stages. By default, Metro can bind to external interfaces, exposing deployments to unauthenticated, remote OS command execution via simple POST requests. VulnCheck observed the attackers deploying a multi-stage PowerShell-based loader designed to disable Microsoft Defender protections, establish a raw TCP connection to the attackers’ host, send a GET request and receive a payload, and execute the downloaded payload. “This same methodology was observed across multiple attacks. The deliberate disabling of Microsoft Defender protections before payload retrieval indicates the attacker anticipated the presence of endpoint security controls and incorporated evasion measures into the initial execution flow,” VulnCheck notes. The final payload is written in Rust and has a basic anti-analysis logic. VulnCheck has observed payloads targeting both Windows and Linux systems. “CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent,” VulnCheck notes. Related: RondoDox Botnet Exploiting React2Shell Vulnerability Related: Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery Related: Open VSX Publisher Account Hijacked in Fresh GlassWorm Attack Related: Cyber Insights 2026: Malware and Cyberattacks in the Age of AI WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire VS Code Configs Expose GitHub Codespaces to Attacks SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown Critical N8n Sandbox Escape Could Lead to Server Compromise Cisco, F5 Patch High-Severity Vulnerabilities Orion Raises $32 Million for Data Security DockerDash Flaw in Docker AI Assistant Leads to RCE, Data Theft Cryptominers, Reverse Shells Dropped in Recent React2Shell Attacks Fresh SolarWinds Vulnerability Exploited in Attacks Latest News Organizations Urged to Replace Discontinued Edge Devices Flickr Security Incident Tied to Third-Party Email System In Other News: Record DDoS, Epstein’s Hacker, ESET Product Vulnerabilities Living off the AI: The Next Evolution of Attacker Tradecraft Airrived Emerges From Stealth With $6.1 Million in Funding ‘DKnife’ Implant Used by Chinese Threat Actor for Adversary-in-the-Middle Attacks 5 Bills to Boost Energy Sector Cyber Defenses Clear House Panel Critical SmarterMail Vulnerability Exploited in Ransomware Attacks TRENDING Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit PEOPLE ON THE MOVE Pennsylvania has named Andy Ritter as CISO and Jim Sipe as executive deputy CIO. Hayete Gallot has rejoined Microsoft as Executive Vice President, Security. Torq has appointed industry veteran John White as Field CISO. More People On The Move EXPERT INSIGHTS Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) The Upside Down is Real: What Stranger Things Teaches Us About Modern Cybersecurity To all those who are fighting the good fight in the world of cyber, keep collaborating to ensure our world never succumbs to the chaos of the Upside Down. (Nadir Izrael) Why Identity Security Must Move Beyond MFA By integrating identity threat detection with MFA, organizations can protect sensitive data, maintain operational continuity, and reduce risk exposure. (Torsten George) Forget Predictions: True 2026 Cybersecurity Priorities From Leaders Security leaders chart course beyond predictions with focus on supply chain, governance, and team efficiency. (Jennifer Leggio) Flipboard Reddit Whatsapp Email