A critical zero-day vulnerability in the Gogs self-hosted Git service is currently being actively exploited, with over 700 internet-accessible instances compromised. The flaw, identified as CVE-2025-8110, allows attackers to overwrite files and gain unauthorized access, posing a significant risk to organizations using the platform.

Key Takeaways

• A severe unpatched vulnerability (CVE-2025-8110) in Gogs is under active exploitation.

• Over 700 Gogs instances have been compromised.

• The vulnerability allows for arbitrary file overwrite and remote code execution.

• This is a bypass of a previously patched vulnerability (CVE-2024-55947).

• A malware payload based on the Supershell C2 framework has been observed.

The Vulnerability Explained

The vulnerability, CVE-2025-8110, carries a CVSS score of 8.7 and resides within the file update API of Gogs. It stems from improper handling of symbolic links within the API. This allows an attacker to write a file to any location on the server, ultimately enabling them to gain SSH access.

This newly discovered flaw is a bypass for a previously patched remote code execution vulnerability, CVE-2024-55947, which was addressed in December 2024. The fix for CVE-2024-55947 could be circumvented by exploiting how Git and Gogs handle symbolic links in repositories, which can point to files outside the repository's scope. The Gogs API further exacerbates this by allowing file modifications outside the standard Git protocol.

Exploitation Method

Attackers can exploit this vulnerability through a four-step process:

1. Create a standard Git repository.

2. Commit a symbolic link pointing to a sensitive target file or directory.

3. Utilize the PutContents API to write data to the symbolic link, causing the system to follow the link and overwrite the target file.

4. Overwrite the .git/config file, specifically the sshCommand directive, to execute arbitrary commands.

Observed Attacks and Malware

The malware deployed in these attacks appears to be based on Supershell, an open-source command-and-control (C2) framework frequently used by Chinese hacking groups. This framework enables attackers to establish a reverse SSH shell to a server they control.

Researchers noted that the attackers left behind the repositories created during the exploitation, suggesting a "smash-and-grab" campaign. Out of approximately 1,400 exposed Gogs instances, over 700 showed signs of compromise, characterized by the presence of 8-character random owner/repository names, all created around July 10, 2025. This uniformity suggests a single actor or a coordinated group using identical tools.

Mitigation and Recommendations

As there is currently no patch available for CVE-2025-8110, users are strongly advised to take immediate protective measures. These include disabling open registration on Gogs instances, limiting their exposure to the internet, and actively scanning for repositories with random 8-character names, which are indicative of compromise.

This disclosure follows recent warnings about threat actors targeting leaked GitHub Personal Access Tokens (PATs) to gain initial access to cloud environments and move laterally across cloud service providers.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks, The Hacker News.