700+ Instances Hacked: Gogs Zero-Day CVE-2025-8110 Under Active Exploitation

Attackers are actively exploiting a newly discovered zero-day vulnerability in Gogs—a widely used self-hosted Git service—for which no official patch has yet been released. According to Wiz, the ongoing campaign has already compromised more than 700 instances, and the exploit code remains in active circulation.

Researchers say the flaw was uncovered almost by accident. In July, while analyzing an infected machine, they noticed anomalous attempts to exploit Gogs. Further investigation revealed that the attacker was abusing a previously unknown vulnerability to compromise exposed instances. The issue was promptly reported to the Gogs maintainers, who are now working on a fix, but the attacks continue unabated.

The vulnerability has been assigned CVE-2025-8110. Gogs servers running version 0.13.3 or earlier are at risk if they are internet-facing and have open user registration enabled—a default configuration. In essence, this is a bypass of an earlier patch for CVE-2024-55947, which allowed authenticated users to overwrite files outside a repository and achieve remote code execution. That original flaw was discovered by researcher Manasseh Zhou, but, as it turned out, the remediation was incomplete.

According to Wiz, the core oversight lies in the handling of symbolic links. Gogs, written in Go, allows users to host their own Git repositories on-premises or in the cloud rather than relying on GitHub or similar providers. Both Git and Gogs support symbolic links—essentially pointers to other files or directories—which may reference locations outside the repository itself. Compounding the issue, the Gogs API allows file modifications outside the standard Git protocol.

It is precisely this combination of features that gave rise to the new flaw. Wiz estimates that exploitation can be reduced to a handful of straightforward steps, accessible to any user with permission to create repositories—a capability enabled by default. An attacker first creates a standard Git repository and commits a symbolic link pointing to a sensitive file outside the repository. Next, using the PutContents API, they write data to that symlink. The system follows the link and overwrites the target file beyond the repository boundary. By modifying the .git/config file in this way—specifically the sshCommand parameter—an attacker can coerce the system into executing arbitrary commands during repository operations, resulting in remote code execution on the server.

Roughly 1,400 exposed Gogs instances have been identified online. Wiz reports that more than 700 have already been compromised in this campaign. All affected servers share a distinctive pattern: an owner and repository name consisting of an eight-character random string created on July 10, along with a payload built around the Supershell remote management framework.

The identity of the attackers remains uncertain. While researchers stop short of definitive attribution, they note that Supershell has previously appeared in campaigns linked to Asian threat groups. Last year, Mandiant documented how Chinese espionage actors exploited a critical vulnerability in F5 equipment using Supershell and subsequently sold access to the compromised networks—victims included U.S. defense organizations, U.K. government bodies, and hundreds of other entities.

In the current wave of attacks, the adversaries’ ultimate objectives remain unclear. Wiz reports that in environments where infections were observed directly, the malware was quickly removed, preventing further analysis of attacker activity. For other compromised servers, confirmation is limited to indicators of compromise alone.

Until an official patch is released, Wiz urges Gogs administrators to take immediate defensive action. Chief among the recommendations are disabling open user registration if it is not strictly necessary and restricting access to self-hosted Git services by placing them behind a VPN or other controlled remote-access mechanism.

Administrators are also advised to closely monitor the creation of new repositories with random eight-character names and to watch for unusual use of the PutContents API. Wiz has published a detailed list of indicators of compromise that operators can use to assess whether their systems have been affected by this campaign.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy