CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Metro4Shell RCE Flaw Exploited in React Native CLI npm Package

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Threat actors are actively exploiting a critical remote code execution (RCE) flaw (CVE-2025-11953, CVSS 9.8) in the Metro Development Server within the @react-native-community/cli npm package, enabling unauthenticated OS command execution. Exploits deliver a PowerShell script that disables Microsoft Defender exclusions and downloads a Rust-based binary with anti-analysis features from an attacker-controlled host. The attacks, first observed on December 21, 2025, originate from multiple IP addresses and indicate operational use rather than experimental probing. A separate campaign is exploiting React2Shell (CVE-2025-55182), a pre-authentication RCE flaw in React Server Components (RSCs) affecting Next.js applications, for large-scale credential theft. This campaign, attributed to UAT-10608, uses the NEXUS Listener automated tool to harvest credentials, SSH keys, cloud tokens, and environment secrets from at least 766 compromised hosts across multiple industries and regions. Attackers leverage automated scanning to identify vulnerable deployments and deploy NEXUS Listener for post-exploitation data collection and further malicious activity.

Timeline

  1. 03.02.2026 16:00 2 articles · 2mo ago

    Metro4Shell Exploited to Deliver PowerShell Script and Rust-Based Binary

    Cisco Talos reports a new global credential theft campaign (UAT-10608) exploiting React2Shell (CVE-2025-55182) in Next.js applications to deploy the NEXUS Listener automated credential-harvesting tool. The campaign has compromised at least 766 hosts across multiple industries and geographic regions, with attackers using automation to identify vulnerable deployments and exfiltrate credentials, SSH keys, cloud tokens, and environment secrets via the NEXUS Listener GUI-based analytics dashboard. Defenders are advised to patch CVE-2025-55182, rotate credentials, and monitor for artifacts such as unexpected /tmp processes or unusual outbound connections.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Zero-Click RCE Vulnerability in FreeScout Helpdesk Platform

A critical zero-click remote code execution (RCE) vulnerability (CVE-2026-28289) in FreeScout helpdesk platform allows attackers to hijack mail servers by sending a crafted email. The flaw bypasses a previous fix for another RCE issue (CVE-2026-27636) and enables unauthenticated command execution on the server. FreeScout versions up to 1.8.206 are affected, and immediate patching to version 1.8.207 is recommended. The vulnerability leverages a zero-width space (Unicode U+200B) to bypass security checks, allowing malicious file uploads and subsequent exploitation. Over 1,100 publicly exposed FreeScout instances are at risk, with potential impacts including full server compromise, data breaches, and lateral movement. Ox Security discovered a patch bypass that allowed reproduction of the same RCE on newly updated servers and escalated the attack chain to a zero-click RCE. The PHP-based Laravel framework, on which FreeScout is based, has over 83,000 GitHub stars and around 13,000 publicly exposed servers.

Open in new tab

Multiple Critical n8n Workflow Automation Vulnerabilities (CVE-2025-68613, CVE-2025-68668, CVE-2026-21877, CVE-2026-21858, CVE-2026-25049, CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497)

The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** has added **CVE-2025-68613** to its **Known Exploited Vulnerabilities (KEV) catalog**, mandating federal agencies to patch n8n instances by **March 25, 2026**, due to **active exploitation** of this critical remote code execution (RCE) flaw. Meanwhile, **Pillar Security** has disclosed two new critical vulnerabilities (**CVE-2026-27577** and **CVE-2026-27493**), with the latter being a **zero-click, unauthenticated flaw** that allows **full server compromise** via public form endpoints (e.g., a "Contact Us" form) without requiring authentication or user interaction. Over **40,000 unpatched instances** remain exposed globally, with **18,000+ in North America and 14,000+ in Europe**, per Shadowserver data. This development follows a series of **critical n8n vulnerabilities** disclosed since late 2025, including **CVE-2026-21877 (CVSS 10.0)**, **CVE-2026-21858 (unauthenticated RCE)**, and **four March 2026 flaws (CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497)** enabling **sandbox escapes, credential theft, and unauthenticated expression injection**. Affected versions span **<1.123.22, >=2.0.0 <2.9.3, and >=2.10.0 <2.10.1**, with patches available in **1.123.22, 2.9.3, and 2.10.1**. The platform’s widespread use in **AI orchestration and enterprise automation**—coupled with its storage of **API keys, database credentials, and cloud secrets**—makes it a prime target for attackers seeking **full server compromise** or **lateral movement into connected systems**.

Open in new tab

Weaxor Ransomware Exploits React2Shell Vulnerability in Targeted Attacks

The Weaxor ransomware gang exploited the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to a corporate network and deployed the ransomware within a minute. The attack involved disabling Windows Defender, deploying a Cobalt Strike beacon, and encrypting files with the '.WEAX' extension. The vulnerability, an insecure deserialization issue in React Server Components, has been exploited by various threat actors since its disclosure. The attack was limited to the vulnerable endpoint, with no lateral movement observed. The same host was later compromised by other attackers, indicating high malicious activity around React2Shell.

Open in new tab