A critical, unpatched security vulnerability in the self-hosted Git service Gogs is currently being actively exploited by attackers, with security researchers from Wiz identifying over 700 compromised instances accessible online. Tracked as CVE-2025-8110, this high-severity flaw (CVSS score: 8.7) allows for arbitrary file overwrite within the service’s file update API, potentially leading to severe consequences for compromised servers.
The vulnerability, a zero-day discovered by Wiz in July 2025, represents a bypass of a previously remediated remote code execution flaw (CVE-2024-55947). This new exploit enables attackers to write files to any location on the server, granting them SSH access and full control. The ongoing exploitation highlights a significant cloud security risk for organizations utilizing Gogs.
Exploitation of Gogs Vulnerability Leads to Widespread Compromise
The improper handling of symbolic links within Gogs’ PutContents API is at the heart of CVE-2025-8110. According to descriptions of the vulnerability, this loophole allows for local code execution. Gogs, a popular Go-based platform for self-hosted Git repositories, has confirmed that a fix for this specific issue is currently under development.
Wiz researchers explained that the patch implemented for the earlier vulnerability, CVE-2024-55947, could be circumvented. This is due to Gogs’ allowance of symbolic links within Git repositories. These links can be directed outside the repository’s boundaries, and the Gogs API permits file modifications beyond the standard Git protocol, creating a pathway for exploitation.
The Four-Step Attack Process
Attackers can leverage this vulnerability to achieve arbitrary code execution through a specific sequence of actions. The process involves creating a standard Git repository, committing a symbolic link that points to a sensitive target, and then using the PutContents API to write data to this symlink. This action causes the system to follow the link and overwrite the targeted file, which resides outside the repository. Finally, the attacker overwrites the “.git/config” file, specifically the “sshCommand” directive, to execute arbitrary commands on the server.
The malware deployed in these attacks is reportedly based on Supershell, an open-source command-and-control (C2) framework frequently used by Chinese hacking groups. This framework facilitates the establishment of a reverse SSH shell connecting to an attacker-controlled server, indicated by the IP address 119.45.176[.]196.
Wiz noted that the threat actors responsible for exploiting CVE-2025-8110 exhibited a degree of carelessness, leaving behind the compromised repositories on customer cloud workloads. This suggests a “smash-and-grab” operation rather than a stealthy, targeted campaign. The presence of random 8-character owner and repository names in over 700 compromised instances indicates a coordinated effort, likely by a single actor or a group employing identical tools.
With approximately 1,400 Gogs instances exposed online and over 700 showing signs of compromise, the risk is substantial. The identified compromised repositories were all created around July 10, 2025, further consolidating the likelihood of a single attack vector.
Given that a patch for CVE-2025-8110 is not yet available, Gogs users are strongly advised to disable open registration, restrict internet exposure of their instances, and actively scan for repositories exhibiting random 8-character naming conventions. This proactive security measure is crucial to mitigate potential damage from this ongoing cloud security threat.
This disclosure follows recent warnings from Wiz regarding threat actors targeting leaked GitHub Personal Access Tokens (PATs). These tokens are being leveraged as high-value entry points for initial access into victim cloud environments, and can even facilitate lateral movement across different cloud service providers (CSPs). Attackers can use PATs with basic read permissions to discover sensitive information embedded within workflow YAML files. If the compromised PAT has write permissions, attackers can execute malicious code and subsequently remove traces of their activity, exacerbating the security risks.