Unpatched Gogs Zero-day Exploited Across 700+ Instances Amid Active...
A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz.
The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of the Go-based self-hosted Git service. A fix for the issue is said to be currently in the works. The company said it accidentally discovered the zero-day flaw in July 2025 while investigating a malware infection on a customer's machine.
"Improper symbolic link handling in the PutContents API in Gogs allows local execution of code," according to a description of the vulnerability in CVE.org.
The cloud security company said CVE-2025-8110 is a bypass for a previously patched remote code execution flaw (CVE-2024-55947, CVSS score: 8.7) that allows an attacker to write a file to an arbitrary path on the server and gain SSH access to the server. CVE-2024-55947 was addressed by the painters in December 2024.
Wiz said the fix put in place by Gogs to resolve CVE-2024-55947 could be circumvented by taking advantage of the fact that Git (and therefore, Gogs) allows symbolic links to be used in git repositories, and those symlinks can point to files or directories outside the repository. Additionally, the Gogs API allows file modification outside of the regular Git protocol.
As a result, this failure to account for symlinks could be exploited by an attacker to achieve arbitrary code execution through a four-step process -
As for the malware deployed in the activity, it's assessed to be a payload based on Supershell, an open-source command-and-control (C2) framework often used by Chinese hacking groups that can establish a reverse SSH shell to an attacker-controlled server ("119.45.176[.]196").
Wiz said that the attackers behind the exploitation of CVE-2025-8110 left behind the created repositories (e.g., "IV79VAew / Km4zoh4s") on the customer's cloud workload when they could have taken steps to delete or mark them as private following the infection. This carelessness points to a "smash-and-grab" style campaign, it added.
In all, there are about 1,400 exposed Gogs instances, out of which more than 700 have exhibited signs of compromise, particularly the presence of 8-character random owner/repository names. All the identified repositories were created around July 10, 2025.
"This suggests that a single actor, or perhaps a group of actors all using the same too
Source: The Hacker News
