Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks
Summary:
Wiz Threat Research has identified and publicly disclosed a critical zero-day vulnerability, CVE-2025-8110 (CVSS: 8.7), actively being exploited in-the-wild against Gogs, a popular self-hosted Git service. This flaw is a symlink bypass of a previously patched path traversal vulnerability (CVE-2024-55947). The vulnerability allows an authenticated attacker to create a symbolic link within a Git repository that points to a sensitive file outside the repository directory. By then using the PutContents API to write content to the symlink, the attacker can overwrite arbitrary files on the system. The specific attack chain involves overwriting the Git configuration file, .git/config (specifically the sshCommand), to achieve Remote Code Execution. The exploitation campaign is widespread and appears to be automated and indiscriminate "smash-and-grab" style, with over 700 exposed instances (more than 50% of the public-facing Gogs servers observed) showing signs of compromise, identified by suspicious repositories created with 8-character random names. The final payload deployed on compromised systems is a highly obfuscated malware based on the Supershell framework, which establishes a reverse SSH shell for remote command and control to the server 119.45.176[.]196. As of the reporting date, active exploitation is ongoing and an official patch from Gogs maintainers is not yet available, classifying this as a critical, unmitigated threat.
Security Officer Comments:
The emergence of CVE-2025-8110 highlights a recurring security failure in Gogs related to the insecure handling of symbolic links, a pattern previously observed with vulnerabilities such as CVE-2024-56731 and CVE-2024-54148. The fact that the new vulnerability acts as a direct bypass to a previous RCE fix underscores the difficulty in robustly securing applications that handle file system interactions, particularly when integrating standard Git behaviors like symlink support with web-based APIs. The high volume of compromised instances (exceeding 700) strongly suggests that a single, automated threat actor or coordinated group is conducting this opportunistic campaign, which capitalizes on the extensive attack surface created by Gogs' default "Open Registration" setting and its exposure to the internet. The deployment of the Supershell C2 framework, designed for robust, web-communicated reverse SSH shells, clearly indicates that the adversaries are focused on establishing persistent, covert remote access to infected hosts.
Suggested Corrections:
If you are running a Gogs server (version <= 0.13.3) that is:
Immediate Actions:
Link(s):
https://thehackernews.com/2025/12/unpatched-gogs-zero-day-exploited.html
Wiz Threat Research has identified and publicly disclosed a critical zero-day vulnerability, CVE-2025-8110 (CVSS: 8.7), actively being exploited in-the-wild against Gogs, a popular self-hosted Git service. This flaw is a symlink bypass of a previously patched path traversal vulnerability (CVE-2024-55947). The vulnerability allows an authenticated attacker to create a symbolic link within a Git repository that points to a sensitive file outside the repository directory. By then using the PutContents API to write content to the symlink, the attacker can overwrite arbitrary files on the system. The specific attack chain involves overwriting the Git configuration file, .git/config (specifically the sshCommand), to achieve Remote Code Execution. The exploitation campaign is widespread and appears to be automated and indiscriminate "smash-and-grab" style, with over 700 exposed instances (more than 50% of the public-facing Gogs servers observed) showing signs of compromise, identified by suspicious repositories created with 8-character random names. The final payload deployed on compromised systems is a highly obfuscated malware based on the Supershell framework, which establishes a reverse SSH shell for remote command and control to the server 119.45.176[.]196. As of the reporting date, active exploitation is ongoing and an official patch from Gogs maintainers is not yet available, classifying this as a critical, unmitigated threat.
Security Officer Comments:
The emergence of CVE-2025-8110 highlights a recurring security failure in Gogs related to the insecure handling of symbolic links, a pattern previously observed with vulnerabilities such as CVE-2024-56731 and CVE-2024-54148. The fact that the new vulnerability acts as a direct bypass to a previous RCE fix underscores the difficulty in robustly securing applications that handle file system interactions, particularly when integrating standard Git behaviors like symlink support with web-based APIs. The high volume of compromised instances (exceeding 700) strongly suggests that a single, automated threat actor or coordinated group is conducting this opportunistic campaign, which capitalizes on the extensive attack surface created by Gogs' default "Open Registration" setting and its exposure to the internet. The deployment of the Supershell C2 framework, designed for robust, web-communicated reverse SSH shells, clearly indicates that the adversaries are focused on establishing persistent, covert remote access to infected hosts.
Suggested Corrections:
If you are running a Gogs server (version <= 0.13.3) that is:
- Exposed to the internet.
- Has open-registration enabled (default setting).
Immediate Actions:
- If your instance does not require open-registration, disable this immediately.
- Limit internet exposure. Place self-hosted Git services behind a VPN or use an allow-list for IP addresses.
- Look for the creation of repositories with random 8-character names or unexpected usage of the PutContents API.
Link(s):
https://thehackernews.com/2025/12/unpatched-gogs-zero-day-exploited.html