What happened

CISA added CVE-2025-11953 to the Known Exploited Vulnerabilities (KEV) catalog, signaling evidence of active exploitation in the wild CISA KEV. The issue is an OS command injection (CWE‑78) in the React Native Community CLI, allowing unauthenticated network attackers to trigger code execution through the Metro Development Server NVD record. CISA’s entry states attackers can send POST requests to a vulnerable endpoint exposed by the server to run arbitrary executables; on Windows, they can execute arbitrary shell commands with fully controlled arguments CISA KEV.

CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use if mitigations are unavailable, with a due date of 2026‑02‑26 CISA KEV. The vulnerability is tracked as CVE‑2025‑11953 and mapped to command injection (CWE‑78) in the public records MITRE CVE.

Why it matters

A KEV listing means exploitation has been observed and remediation is not optional for defenders who want to stay ahead of active threat activity CISA KEV. This flaw converts a development helper (Metro Dev Server) into a remote code execution surface reachable by unauthenticated network actors via crafted POST requests NVD record. When the same primitive grants shell command execution on Windows with attacker‑chosen arguments, any accessible developer workstation becomes a high‑leverage initial access vector CISA KEV.

React Native is embedded across countless mobile app workflows, and the CLI/Metro stack often runs during active development; turning that pathway into arbitrary execution collapses the trust boundary between “dev tooling” and “system execution” NVD record. The combination of unauthenticated network reachability and command injection is textbook critical, regardless of whether the component is intended for production exposure MITRE CVE.

Technical detail

Per CISA, the attack requires only the ability to send POST requests to the Metro Development Server, which exposes a vulnerable endpoint reachable over the network without authentication CISA KEV. The vulnerability is categorized as CWE‑78 (OS command injection), implying user‑supplied data is incorporated into an OS command invocation without sufficient neutralization, enabling arbitrary execution NVD record.

The impact is twofold:

• Cross‑platform arbitrary executable launch via the server’s vulnerable endpoint when provided attacker‑controlled parameters in a POST body CISA KEV.
• On Windows, arbitrary shell command execution with fully attacker‑controlled arguments, expanding post‑exploitation breadth through cmd.exe/PowerShell invocation patterns CISA KEV.

Because the server accepts unauthenticated POSTs, an adversary with network reach can chain this directly into remote code execution with no prerequisite credentials, consistent with the CWE‑78 class MITRE CVE. KEV inclusion confirms real‑world abuse and elevates this from theoretical to operational risk CISA KEV.

Defense

CISA’s guidance: apply vendor mitigations, follow applicable BOD 22‑01 cloud service guidance, or discontinue use if mitigations are unavailable; enforcement due date is 2026‑02‑26 CISA KEV. Treat this as an emergency hardening item for any environment where the Metro Development Server may be reachable by untrusted networks NVD record.

Practical containment and detection until vendor guidance is applied:

• Restrict exposure: ensure the Metro Development Server is only bound to localhost and not accessible beyond the developer host, minimizing unauthenticated reachability CISA KEV.
• Network monitoring: alert on non‑localhost POST requests targeting the Dev Server, especially from unfamiliar subnets or remote sources indicative of recon/exploitation NVD record.
• Process telemetry: watch for the CLI/Node process spawning system executables; on Windows, flag cmd.exe or powershell.exe launches with unusual argument strings sourced from network activity MITRE CVE.
• Access policy: do not run the Dev Server on shared or hostile networks; shut it down when not in active use to reduce attack surface windows CISA KEV.

For regulated entities, KEV status typically mandates prioritized remediation workflows; track completion against the CISA due date and document exceptions only with compensating controls CISA KEV.

Lyrie Verdict

This is a classic developer‑tool RCE that autonomous adversaries can chain at machine speed by scanning for reachable Metro Dev Servers and driving unauthenticated POSTs into command execution CISA KEV. Lyrie ties network and process telemetry to catch this path in real time: anomalous POSTs to dev tooling endpoints and immediate child‑process spawns from the CLI/Node server are fused into a single autonomous decision, cutting dwell time to seconds instead of tickets and triage NVD record. For Windows dev hosts, Lyrie applies higher‑risk weighting if network‑originated requests precede shell spawns with attacker‑like argument entropy, halting the chain before payload execution completes MITRE CVE. Developer machines are soft targets; autonomous detection that doesn’t wait for human reaction time is the right countermeasure against this KEV‑listed RCE CISA KEV.