**Critical Gogs Zero-Day Under Attack: 700 Servers Hacked**

The open-source self-hosted Git service, Gogs, has been hit by a critical zero-day vulnerability that has compromised around 700 Internet-facing servers. The flaw, tracked as CVE-2025-8110, allows remote code execution and was exploited by threat actors to gain unauthorized access to sensitive data.

Gogs is designed to be lightweight and easy to deploy, offering features like version control, issue tracking, pull requests, and web-based repository management. However, its self-hosted nature also makes it vulnerable to attacks if not properly secured. The compromised servers were identified by Wiz researchers while investigating a malware infection on a customer workload.

The flaw is a path-traversal issue in the PutContents API, which lets attackers bypass protections added for a previous RCE bug (CVE-2024-55947) by abusing symbolic links. Although newer Gogs versions validate path names, they don't check symlink destinations. This allows threat actors to create repositories containing symlinks to sensitive system files and use PutContents to overwrite files outside the repository.

According to Wiz researchers, over 700 compromised instances were public-facing on the internet. "In our external scan, we identified over 1,400 Gogs servers publicly exposed to the internet. Many of these instances are configured with 'Open Registration' enabled by default, creating a massive attack surface for the vulnerability described below," reads the advisory published by Wiz.

The researchers explained that the attack chain is simple and can be carried out by any user allowed to create repositories, which is enabled by default. An attacker creates a repo, commits a symbolic link to a sensitive file, then uses the PutContents API to write through that symlink, overwriting files outside the repository. By modifying `.git/config`, especially the `sshCommand` field, they can trigger execution of arbitrary commands.

This flaw continues a recurring pattern in Gogs, where improper symlink handling has led to repeated exploitation in past vulnerabilities. Wiz discovered that attackers deployed malware built with Supershell, an open-source C2 framework that creates reverse SSH shells via web services. The infected systems communicated with a C2 server at 119.45.176[.]196.

Researchers reported the Gogs zero-day on July 17; maintainers acknowledged it only on October 30, however, the flaw has yet to be fixed. A second attack wave emerged on November 1. Gogs administrators are urged to disable open registration, restrict server access via VPN or allow lists, and check for compromise by reviewing suspicious PutContents API activity and repositories with random 8-character names.

**Action Items:**

* Disable open registration * Restrict server access via VPN or allow lists * Check for compromise by reviewing suspicious PutContents API activity and repositories with random 8-character names

**Stay Safe:** Follow me on Twitter (@securityaffairs) and Facebook (Security Affairs Page) to stay up-to-date on the latest cybersecurity news and threats.