top of page
perceptive_background_267k.jpg

Hackers exploit unpatched Gogs zero-day to breach 700 servers

Published:

11 december 2025 om 13:19:00

Alert date:

11 december 2025 om 13:21:19

Source:

bleepingcomputer.com

Click to open the original link from this advisory

An unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, has been actively exploited by attackers to achieve remote code execution on Internet-facing instances. The vulnerability has led to the compromise of approximately 700 servers worldwide. Gogs is widely used by organizations for private Git repositories and source code management. The zero-day nature of the vulnerability means no patch was available when exploitation began, leaving users defensively vulnerable. The scale of compromise indicates this is a critical security incident affecting the software development infrastructure of numerous organizations.

Technical details

CVE-2025-8110 is an unpatched zero-day vulnerability in Gogs that stems from a path traversal weakness in the PutContents API. The flaw allows attackers to bypass protections for a previously patched RCE bug (CVE-2024-55947) by using symbolic links to overwrite files outside the repository. While Gogs versions validate path names to prevent directory traversal, they fail to validate symbolic link destinations. Attackers create repositories with symbolic links pointing to sensitive system files, then use the PutContents API to write data through the symlink, overwriting targets outside the repository. By overwriting Git configuration files, specifically the sshCommand setting, attackers can force target systems to execute arbitrary commands. The malware deployed was created using Supershell, an open-source C2 framework that establishes reverse SSH shells over web services.

Mitigation steps:

Immediately disable the open registration default setting and limit access to the server using a VPN or an allow list. Check for suspicious use of the PutContents API and look for repositories with random 8-character names to determine if the instance has been compromised.

Affected products:

Gogs (self-hosted Git service)
Over 1
400 Gogs servers exposed online
More than 700 instances compromised

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-8110
https://www.shodan.io/search?query=http.title%3A%22Sign+In+-+Gogs%22
https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit

Related CVE's:

Related threat actors:

IOC's:

119.45.176[.]196 (C2 server IP address), Repositories with random eight-character names, Repositories created within same timeframe in July, Suspicious use of PutContents API, Supershell malware deployment

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page