Gogs Zero-Day Exploited: 700+ Servers Hacked Worldwide

A newly discovered zero-day vulnerability in Gogs, a popular self-hosted Git service, is being actively exploited in the wild, putting more than 700 internet-facing servers at immediate risk. The security issue, tracked as CVE-2025-8110 with a severe CVSS score of 8.7, has no official patch yet. The cloud security firm Wiz uncovered the flaw while investigating a malware attack on one of its customer workloads.

This incident highlights a growing trend of attackers targeting developer tools, Git platforms, and automation systems as easy ways to gain initial access into cloud environments. With no fix available, Gogs users need to take urgent action to protect their systems.

According to the CVE description, the vulnerability is caused by improper symbolic link (symlink) handling in Gogs’ PutContents API. This weakness allows attackers to abuse the API to overwrite files anywhere on the server, leading to local code execution and potentially full system compromise.

In simple terms:

Gogs does not correctly validate symlinks, allowing attackers to trick the system into writing files outside the Git repository—something that should never happen.

What makes this flaw more concerning is that CVE-2025-8110 acts as a bypass for another major vulnerability fixed earlier, CVE-2024-55947. That earlier flaw also enabled remote code execution by letting an attacker write files to arbitrary paths on the server. Gogs attempted to patch that bug in December 2024, but the new discovery shows the fix can be sidestepped.

Wiz researchers explained that the attack method relies on Git’s inherent support for symbolic links. Because Gogs allows symlinks inside repositories and allows its API to modify files—an attacker can chain these behaviors to escape the repository boundaries.

The exploitation process works in four simple steps:

1. Create a new Git repository on the vulnerable Gogs instance.

2. Add a symbolic link inside the repository that points to a sensitive system file outside the repo.

3. Use Gogs’ PutContents API to write data to the symlink.

4. The system follows the link and overwrites the real system file, such as .git/config, allowing remote command execution via manipulated SSH settings.

By altering the sshCommand inside .git/config, attackers gain the ability to execute arbitrary commands on the server—a classic remote code execution outcome.

During the investigation, Wiz discovered that the attackers deployed malware based on Supershell, a well-known open-source command-and-control (C2) framework. Supershell is frequently used by Chinese threat groups and is designed to open a reverse SSH shell directly to an attacker-controlled server, identified as 119.45.176[.]196.

Interestingly, the attackers left traces behind. They did not delete the rogue repositories created during exploitation. Many of these repositories had random 8 character names, such as:

• IV79VAew

• Km4zoh4s

This sloppy operational behavior suggests a “smash-and-grab” attack campaign, where speed matters more to the attackers than stealth.

Wiz identified around 1,400 publicly exposed Gogs servers, and shockingly, over half around 700 show signs of compromise. The compromised systems all contained suspicious, automatically generated repositories created around July 10, 2025.

Researchers Gili Tikochinski and Yaara Shriki believe this strongly indicates a single threat actor or a coordinated group using the same exploitation toolkit.