Critical Gogs Zero-Day Vulnerability Exploited: Over 700 Instances Compromised
A severe zero-day vulnerability has been identified in Gogs, a popular self-hosted Git service, which is currently under active exploitation. This flaw, designated as CVE-2025-8110, enables authenticated users to perform a symlink bypass, potentially leading to Remote Code Execution (RCE). Alarmingly, no official patch has been released to address this issue, and security researchers estimate that more than half of publicly accessible Gogs instances have already been compromised.
Discovery and Initial Findings
The vulnerability came to light on July 10, 2025, during a routine investigation into a malware infection affecting a client’s system. Analysts from Wiz traced the breach back to a Gogs instance operating on version 0.13.2, which was previously considered secure. Further examination revealed that attackers were exploiting a regression in the Gogs API, effectively circumventing protections that had been implemented for a prior vulnerability, CVE-2024-55947.
Technical Details of the Vulnerability
The core issue resides in Gogs’ handling of file modifications through its API. Although previous patches addressed path traversal flaws by validating input paths, they overlooked the handling of symbolic links (symlinks). In line with standard Git protocols, Gogs permits users to commit symlinks. Attackers exploit this by creating a repository, committing a symlink that points to a sensitive file outside the repository (such as system configuration files), and then using the PutContents API to write data to that link. The API validates the file path name but does not validate the destination of the symlink. This oversight allows attackers to overwrite files on the host system, such as the .git/config file, injecting malicious commands into the sshCommand parameter to achieve RCE.
Scope of the Exploitation
Exploitation of this vulnerability requires an account with repository creation privileges. Given that many Gogs instances default to Open Registration, the potential attack surface is extensive. Wiz identified approximately 1,400 public-facing Gogs instances, with over 700 showing signs of compromise. The attacks appear to be orchestrated by a single actor or group employing an automated smash-and-grab approach. All infected instances featured repositories with random 8-character names created within a narrow timeframe around July 10.
Malware Deployment: Supershell
The payload delivered in these attacks is Supershell, an open-source Command and Control (C2) framework written in Go. The malware is heavily obfuscated using UPX packing and the garble tool, which encrypts string literals and randomizes class names, complicating reverse engineering efforts. Supershell establishes a reverse SSH shell via web services, granting the attacker persistent remote access to the compromised system.
Vulnerability Summary and Indicators of Compromise (IoCs)
– Zero-Day CVE: CVE-2025-8110 (Symlink Bypass)
– Related CVE: CVE-2024-55947 (Original RCE)
– Affected Software: Gogs (Self-Hosted Git Service)
– Affected Versions: v0.13.3 and prior
– Status: Unpatched (Active Exploitation)
– Command and Control (C2) IP Addresses:
– 119.45.176[.]196
– 106.53.108[.]81
– 119.91.42[.]53
Response and Mitigation Recommendations
Despite Wiz’s responsible disclosure on July 17, 2025, and the maintainers’ acknowledgment in October, the vulnerability remains unpatched in the main branch of Gogs. Administrators managing Gogs instances are strongly advised to assume their systems may be compromised, especially if they are internet-exposed with open registration enabled.
Immediate Mitigation Steps:
1. Disable Open Registration: Prevent unauthorized account creation by disabling the Open Registration feature.
2. Restrict Access: Limit access to the Gogs service by implementing VPNs or IP allow-lists to control who can connect.
3. Monitor for Anomalies: Conduct thorough scans for unexpected repositories or unusual usage patterns of the PutContents API, which may indicate malicious activity.
Given the severity and active exploitation of this vulnerability, it is imperative for organizations using Gogs to implement these mitigation strategies promptly to safeguard their systems and data.
