Gogs Zero-Day Exploited: 700+ Servers Hit in Ongoing Attacks

Gogs Zero-Day Exploited: 700+ Servers Hit in Ongoing Attacks
December 11, 2025 at 12:00 AM

A high-severity, unpatched zero-day in Gogs is being actively exploited, with more than 700 internet-facing instances showing signs of compromise, according to Wiz. Tracked as CVE-2025-8110 (CVSS 8.7), the flaw enables file overwrite via the PutContents API in the Go-based, self-hosted Git service. A fix is reportedly in progress after Wiz stumbled upon the issue during a July 2025 malware investigation.

Why it matters: The vulnerability stems from improper handling of symbolic links, allowing local code execution. It also serves as a bypass for CVE-2024-55947 (CVSS 8.7), a previously patched remote code execution flaw addressed by the Gogs maintainers in December 2024. Because Git (and Gogs) supports symlinks that can point outside a repository—and Gogs exposes a file-modification API—attackers can write arbitrary files on the server.

How the exploit works:

  • Create a standard Git repository
  • Commit a symbolic link targeting a sensitive path outside the repo
  • Use the PutContents API to write through the symlink, overwriting the target
  • Overwrite .git/config (sshCommand) to execute arbitrary commands and gain SSH access

Real-world impact: Wiz observed a Supershell-based payload establishing a reverse SSH shell to an attacker-controlled server (119.45.176[.]196). Attackers left telltale repositories (for example, random 8-character owner/repo pairs like "IV79VAew / Km4zoh4s") on victim workloads—suggesting a fast, "smash-and-grab" style campaign. Of roughly 1,400 exposed Gogs instances, more than 700 showed these markers, with repos created around July 10, 2025. The uniform tooling points to a single actor or closely coordinated group.

What to do now (no patch yet):

  • Disable open registration immediately
  • Restrict Gogs exposure to the public internet
  • Scan for repos with random 8-character names and investigate
  • Audit .git/config for suspicious sshCommand entries

Related threat: Leaked GitHub Personal Access Tokens (PATs) are being abused for initial access and cross-cloud lateral movement. With even basic read rights, attackers can use GitHub's API code search to find secret names in workflow YAML. With write permissions, they can create malicious workflows, execute code, and exfiltrate Cloud Service Provider (CSP) secrets to attacker-controlled webhooks—often bypassing Action logs.

Minimum PAT hygiene:

  • Rotate any suspected or exposed tokens and enforce least-privilege scopes
  • Restrict who can modify workflows; require reviews for Actions changes
  • Monitor for unusual code-search activity and webhook exfiltration

Source: The Hacker News

Back…