Do Son 
Image: VulCheck
A new report from VulnCheck reveals that CVE-2025-11953, a critical flaw in the Metro development server dubbed “Metro4Shell,” was being actively weaponized in the wild as early as late December 2025—long before it hit the mainstream radar.
The findings expose a dangerous gap between attacker speed and defender awareness. As of late January, public discourse largely dismissed the flaw as a “theoretical risk.” In reality, it was already a live intrusion vector.
VulnCheck’s network of “canaries”—honeypots designed to detect early exploitation—caught the attackers red-handed. The report confirms that “VulnCheck Canaries observed exploitation of CVE-2025-11953 in late December”.
Crucially, this wasn’t just a stray scanner or a researcher poking around. The telemetry showed “consistent payload delivery across multiple dates rather than one-off probing or research activity”.
The attackers were delivering advanced payloads specifically targeting Windows systems. This demonstrates that “Metro4Shell provides a practical initial access mechanism when exposed to the public internet”.
VulnCheck tracked the attacks to a specific cluster of infrastructure. The exploitation originated from IP addresses including 65.109.182.231, 223.6.249.141, and 134.209.69.155.
The payloads themselves—named simply “windows” and “linux”—were hosted on separate servers, indicating a prepared operation targeting multiple operating systems.
The primary takeaway from the Metro4Shell incident is a stark reminder about the nature of internet-facing assets. The intent of the software doesn’t matter; its accessibility does.
As the report eloquently concludes: “Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent”.
Organizations are urged to stop waiting for official “Known Exploited Vulnerability” (KEV) alerts before patching exposed development tools. In the case of CVE-2025-11953, waiting for consensus meant giving attackers a month-long head start.
Related Posts:
- Critical React Native CLI Flaw (CVE-2025-11953, CVSS 9.8) Allows Unauthenticated RCE via Exposed Metro Server
- 768 CVEs Exploited in 2024: VulnCheck Warns of Rising Threat
- CVE-2024-11680 (CVSS 9.8): Critical ProjectSend Vulnerability Actively Exploited, PoC Published
- Researchers Disclose MikroTik RouterOS Security Flaw, Putting Hundreds of Thousands of Devices at Risk
- Four-Faith Industrial Routers Under Attack: CVE-2024-12856 Exploited in the Wild
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
