Hundreds of Gogs Servers Compromised via Unpatched Zero-Day Vulnerability
A critical zero-day vulnerability (CVE-2025-8110) in Gogs, a self-hosted Git service, has allowed attackers to execute remote code on exposed instances, compromising hundreds of servers. The flaw stems from a path traversal weakness in the PutContents API, enabling threat actors to bypass protections for a previously patched RCE bug (CVE-2024-55947) by exploiting symbolic links to overwrite sensitive system files.
While Gogs versions patched for CVE-2024-55947 now validate path names, they fail to check symlink destinations. Attackers exploit this by creating repositories with symlinks pointing to critical files—such as Git’s sshCommand configuration—allowing arbitrary command execution when data is written via the API.
Wiz Research discovered the vulnerability in July 2024 after investigating a malware infection on a customer’s exposed Gogs server. Their scan identified over 1,400 publicly accessible Gogs instances, with 700+ showing signs of compromise. All affected servers exhibited identical attack patterns, including repositories with random eight-character names created in the same timeframe, suggesting a single automated campaign.
The deployed malware, built using Supershell—an open-source C2 framework—established reverse SSH shells, communicating with a command-and-control server at 119.45.176[.]196. Many exposed instances had open registration enabled by default, expanding the attack surface.
Gogs maintainers were notified on July 17, acknowledging the flaw on October 30 while developing a patch. A second wave of attacks was observed on November 1, underscoring the urgency of mitigation. The vulnerability remains unpatched as of the latest disclosure.
CD PROJEKT SA cybersecurity rating report: https://www.rankiteo.com/company/cd-projekt-sa
"id": "CD-1765461818",
"linkid": "cd-projekt-sa",
"type": "Vulnerability",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Unknown (potentially all users '
'of compromised Gogs servers)',
'industry': 'Technology, Software Development',
'location': 'Global (Internet-facing servers)',
'name': 'Gogs users (self-hosted instances)',
'size': 'Unknown (1,400+ exposed instances)',
'type': 'Software/Service Provider'}],
'attack_vector': 'Exploitation of unpatched zero-day vulnerability '
'(CVE-2025-8110) via Internet-facing Gogs servers',
'customer_advisories': 'Check for signs of compromise (suspicious '
'repositories, API usage) and apply recommended '
'mitigations',
'data_breach': {'data_exfiltration': 'Possible via Supershell malware (C2 '
'communication detected)',
'file_types_exposed': 'Git configuration files, symbolic '
'links, system files',
'sensitivity_of_data': 'High (system-level access, potential '
'for further exploitation)',
'type_of_data_compromised': 'System files, Git '
'configurations, potential '
'exfiltration of sensitive data '
'via malware'},
'date_detected': '2024-07',
'date_publicly_disclosed': '2024-11-01',
'description': 'An unpatched zero-day vulnerability in Gogs, a popular '
'self-hosted Git service, has enabled attackers to gain remote '
'code execution on Internet-facing instances and compromise '
'hundreds of servers. The flaw (CVE-2025-8110) stems from a '
'path traversal weakness in the PutContents API, allowing '
'threat actors to bypass protections for a previously patched '
'RCE bug (CVE-2024-55947) by using symbolic links to overwrite '
'files outside the repository. Attackers exploited this to '
'overwrite Git configuration files and execute arbitrary '
'commands.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'organizations using vulnerable Gogs '
'instances',
'data_compromised': 'System files and Git configurations '
'overwritten; potential data exfiltration via '
'malware',
'operational_impact': 'Arbitrary command execution on compromised '
'servers; potential disruption of Git '
'services',
'systems_affected': 'Over 700 Gogs servers compromised out of '
'1,400 exposed online'},
'initial_access_broker': {'backdoors_established': 'Supershell malware '
'(reverse SSH shells)',
'entry_point': 'Internet-facing Gogs servers with '
'open registration enabled'},
'investigation_status': 'Ongoing (patch in development as of October 2024)',
'lessons_learned': 'Default open registration settings in Gogs create a '
'massive attack surface. Organizations must disable open '
'registration and restrict access to self-hosted Git '
'services. Regular monitoring for suspicious API usage and '
'repository activity is critical.',
'post_incident_analysis': {'corrective_actions': 'Patch development in '
'progress; users advised to '
'disable open registration '
'and restrict access',
'root_causes': 'Unpatched zero-day vulnerability '
'(CVE-2025-8110) due to inadequate '
'validation of symbolic links in '
'PutContents API, combined with '
'default open registration '
'settings'},
'recommendations': ['Immediately disable open registration in Gogs instances',
'Limit access to Gogs servers using VPNs or allow lists',
'Check for repositories with random 8-character names and '
'suspicious PutContents API usage',
'Monitor for communication with C2 server '
'(119.45.176[.]196)',
'Apply patches once available from Gogs maintainers'],
'references': [{'date_accessed': '2024-11-01', 'source': 'Wiz Research'},
{'date_accessed': '2024-11-01', 'source': 'Shodan'}],
'response': {'communication_strategy': 'Public disclosure by Wiz Research; '
'advisories to Gogs users',
'containment_measures': 'Disable open registration, limit access '
'via VPN or allow list',
'enhanced_monitoring': 'Check for suspicious PutContents API '
'usage and repositories with random '
'8-character names',
'remediation_measures': 'Patch not yet available (as of November '
'2024); recommended to check for '
'suspicious repositories/API usage',
'third_party_assistance': 'Wiz Research (vulnerability discovery '
'and analysis)'},
'stakeholder_advisories': 'Gogs maintainers notified; users advised to '
'disable open registration and restrict access',
'threat_actor': 'Single actor or group using automated tools (likely '
'automated campaign)',
'title': 'Gogs Zero-Day Vulnerability Exploited for Remote Code Execution '
'(CVE-2025-8110)',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-8110 (Path traversal in PutContents API '
'via symbolic links)'}