Critical Gogs zero-day under attack, 700 servers hacked

Hackers exploited an unpatched Gogs zero-day, allowing remote code execution and compromising around 700 Internet-facing servers.

Gogs is a self-hosted Git service, similar to GitHub, GitLab, or Bitbucket, but designed to be lightweight and easy to deploy. It allows individuals or organizations to host their own Git repositories on their servers, offering features like version control, issue tracking, pull requests, and web-based repository management. Being self-hosted, it gives teams full control over their data and infrastructure.

Threat actors exploited an unpatched Gogs zero-day, tracked as CVE-2025-8110, to achieve remote code execution and compromise about 700 Internet‑exposed servers.

Wiz researchers discovered the flaw while investigating a malware infection on a customer workload.

The flaw, a path‑traversal issue in the PutContents API, lets attackers bypass protections added for a previous RCE bug (CVE‑2024‑55947) by abusing symbolic links. Although newer Gogs versions validate path names, they don’t check symlink destinations.

Threat actors can therefore create repositories containing symlinks to sensitive system files and use PutContents to overwrite files outside the repository.

The researchers identified over 700 compromised instances public-facing on the internet.

“In our external scan, we identified over 1,400 Gogs servers publicly exposed to the internet. Many of these instances are configured with “Open Registration” enabled by default, creating a massive attack surface for the vulnerability described below.” reads the advisory published by Wiz.

The researchers explained that attack chain is simple for any user allowed to create repositories, which is enabled by default. An attacker creates a repo, commits a symbolic link to a sensitive file, then uses the PutContents API to write through that symlink, overwriting files outside the repository. By modifying .git/config, especially the sshCommand field, they can trigger execution of arbitrary commands. This flaw continues a recurring pattern in Gogs, where improper symlink handling has led to repeated exploitation in past vulnerabilities.

“Expanding our search via Shodan to review all exposed instances mentioned earlier, we found:

• ~1,400 total exposed instances
• 700+ confirmed compromised instances

In other words, over 50% of the exposed instances we observed showed signs of compromise.” continues the advisory.

All compromised Gogs instances showed a clear pattern: randomly generated 8-character owner/repo names created within the same short window on July 10, pointing to a single actor or group using the same automation tools.

Wiz discovered that attackers deployed malware built with Supershell, an open-source C2 framework that creates reverse SSH shells via web services. The infected systems communicated with a C2 server at 119.45.176[.]196.

Researchers reported the Gogs zero-day on July 17; maintainers acknowledged it only on October 30, however, the flaw has yet to be fixed. A second attack wave emerged on November 1. Gogs administrators are urged to disable open registration, restrict server access via VPN or allow lists, and check for compromise by reviewing suspicious PutContents API activity and repositories with random 8-character names.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)