Comprehensive Threat Exposure Management Platform
A critical zero-day vulnerability tracked as CVE-2025-8110 has been discovered in Gogs, the widely deployed self-hosted Git service platform. This Gogs vulnerability enables authenticated attackers to achieve remote code execution through improper symbolic link handling in the PutContents API, effectively bypassing the previous security fix for CVE-2024-55947. The Gogs zero-day exploit was first detected on July 10, 2025, and has since resulted in a mass compromise affecting over 700 of approximately 1,400 publicly exposed Gogs instances. Threat actors have weaponized this Gogs RCE vulnerability using the Supershell open-source command-and-control framework to establish persistent backdoor access. As of December 2025, no official Gogs security patch is available, leaving hundreds of deployments vulnerable to ongoing exploitation campaigns targeting Git service platforms.
The Gogs zero-day vulnerability surfaced on July 10, 2025, when security researchers identified active malware infections across multiple public-facing Gogs instances. What appeared initially as isolated compromises quickly revealed an ongoing Gogs exploitation campaign targeting an unknown vulnerability in the Git service platform. Investigators immediately disclosed the Gogs security flaw to maintainers, who acknowledged the issue and began developing a patch, but active exploitation continues across hundreds of vulnerable Gogs deployments.
Gogs, a lightweight Git service written in Go, serves as a streamlined alternative to GitLab and GitHub Enterprise for development teams. The Gogs platform’s simplicity and portability have driven widespread adoption across on-premise and cloud environments, supporting distributed development workflows. However, over 1,400 Gogs servers remain publicly accessible, with many retaining default “Open Registration” settings—a combination of Gogs misconfiguration and broad exposure that created optimal conditions for threat actors to weaponize the newly discovered Gogs vulnerability.
CVE-2025-8110 functions as a bypass for the previously patched Gogs remote code execution issue CVE-2024-55947. Although Gogs maintainers attempted to remediate the earlier path traversal flaw through input validation, they failed to account for symbolic links within Git repositories. The Gogs vulnerability allows symlinks pointing outside repository boundaries, enabling attackers to abuse the PutContents API to overwrite arbitrary files beyond intended directories. By modifying sensitive configuration files like .git/config—specifically the sshCommand field—attackers achieve arbitrary command execution on Gogs host systems. This Gogs symlink handling weakness reflects recurring architectural vulnerabilities similar to CVE-2024-56731 and CVE-2024-54148.
The initial Gogs breach involved a compromised cloud workload running Gogs version 0.13.2, previously considered protected against earlier RCE vulnerabilities. The Gogs server contained suspicious repositories created days before malware infection, each named with random eight-character strings indicating automated Gogs exploitation. Deployed malware was Go-based, UPX-packed, and heavily obfuscated using Garble techniques. Following deobfuscation with Mandiant’s ungarbler tool, researchers identified the Supershell framework—a reverse SSH shell tool enabling remote command execution on compromised Gogs instances. The Gogs attack campaign traced back to a single command-and-control server, strongly suggesting coordinated large-scale exploitation by a unified threat actor or closely aligned group targeting Git service platforms.
Organizations running Gogs must apply the official Gogs security patch immediately upon release to close the CVE-2025-8110 exploitation window. Until the Gogs patch becomes available, disabling “Open Registration” on all Gogs instances prevents attackers from creating unauthorized accounts for Gogs exploitation, particularly on internet-facing servers where the Gogs vulnerability poses greatest risk.
Security teams should audit all Gogs repositories for suspicious symbolic links pointing outside repository directories, removing unexpected symlinks and monitoring for new malicious creations. Check Gogs deployments for compromise indicators including recent repositories with random eight-character names, unexpected new user accounts, modified .git/config files, and SSH command field alterations—all common indicators observed in this Gogs attack campaign.
Enable detailed Gogs logging and forward logs to SIEM platforms for centralized monitoring of the Git service platform. Early visibility into Gogs exploitation attempts enables rapid detection and response to CVE-2025-8110 attacks. Implement comprehensive vulnerability management practices including regular Gogs software assessments, maintaining inventories of Gogs versions and security patches, and evaluating security practices for Git service platforms and critical development infrastructure.
SHA1 Hashes:
IPv4 Addresses:
TA0042 – Resource Development
TA0001 – Initial Access
TA0002 – Execution
TA0003 – Persistence
TA0005 – Defense Evasion
TA0011 – Command and Control
https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit https://github.com/gogs/gogs/releases
Get through updates and upcoming events, and more directly in your inbox