React Native Metro servers Metro4Shell exploitation wave (CVE-2025-11953)
Exploitation Wave
Summary
Hide ▲
Show ▼
Repeated exploitation of CVE-2025-11953 is hitting exposed React Native Metro servers, creating remote command and payload-delivery risk across a large development-systems footprint. The activity was observed on Dec. 21, 2025, then again on Jan. 4 and Jan. 21, showing sustained abuse of the same attack path. Roughly 3,500 exposed Metro servers were found online, leaving a broad target set for further exploitation.
Related Happenings
MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)
Vulnerability
First: 05.05.2026 14:56
Last: 05.05.2026 14:56
Sources 1
About this happening:
**CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...
MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)
VulnerabilityAbout this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...
Tropic Trooper trojanized SumatraPDF remote-access campaign
Campaign
First: 24.04.2026 12:29
Last: 24.04.2026 12:29
Sources 1
About this happening:
**Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...
Tropic Trooper trojanized SumatraPDF remote-access campaign
CampaignAbout this happening: **Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
Campaign
First: 02.04.2026 00:35
Last: 02.04.2026 00:35
Sources 1
About this happening:
The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
CampaignAbout this happening: The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
Oracle WebLogic actively exploited unauthenticated RCE flaw (CVE-2026-21962)
Vulnerability
First: 26.03.2026 18:00
Last: 26.03.2026 18:00
Sources 1
About this happening:
**Oracle WebLogic**'s **CVE-2026-21962** was being **actively exploited** almost immediately after public exploit code appeared, creating a **CVSS 10.0** unauthenticated RCE risk...
Oracle WebLogic actively exploited unauthenticated RCE flaw (CVE-2026-21962)
VulnerabilityAbout this happening: **Oracle WebLogic**'s **CVE-2026-21962** was being **actively exploited** almost immediately after public exploit code appeared, creating a **CVSS 10.0** unauthenticated RCE risk...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
Timeline
-
03.02.2026 16:00 3 articles · 3mo ago
Initial report: React Native Metro servers Metro4Shell exploitation wave (CVE-2025-11953)
Initial DisclosureThe wave began on **Dec. 21, 2025** when a threat actor was first observed exploiting **CVE-2025-11953** against exposed **React Native Metro servers**. The same payload set reappeared on **Jan. 4** and **Jan. 21**, confirming repeated abuse of the same attack path.
Show sources
- Hackers exploit critical React Native Metro bug to breach dev systems — www.bleepingcomputer.com — 03.02.2026 16:00
- Hackers exploit critical React Native Metro bug to breach dev systems — www.bleepingcomputer.com — 03.02.2026 16:00
- Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks — thehackernews.com — 04.11.2025 16:24