Gogs Zero-Day Exploited in 700+ Instances

A critical zero-day vulnerability (CVE-2025-8110) in the self-hosted Git service Gogs is being actively exploited, impacting over 700 publicly accessible instances. The flaw, with a CVSS score of 8.7, allows attackers to overwrite files and achieve remote code execution.

Why This Matters

Ideal security models assume prompt patching, but real-world deployment lags expose systems to known and zero-day vulnerabilities. This Gogs flaw, bypassing a previous fix (CVE-2024-55947), demonstrates the risk of incomplete mitigation and the potential for widespread compromise – over 700 instances affected represent a significant attack surface and potential data breach risk.

Key Insights

CVE-2025-8110: File overwrite vulnerability in Gogs, discovered in July 2025.
Symlink Bypass: Attackers circumvented a prior patch by exploiting Git’s symbolic link handling within the Gogs API.
Supershell C2: The malware deployed in the attacks utilizes the Supershell command-and-control framework, often associated with Chinese hacking groups.

Practical Applications

Use Case: Attackers are leveraging the vulnerability for “smash-and-grab” style attacks, deploying malware and establishing reverse SSH shells.
Pitfall: Relying on a single patch without accounting for underlying protocol vulnerabilities (like symlink handling) can lead to bypasses and continued exploitation.

References:

https://thehackernews.com/2025/12/unpatched-gogs-zero-day-exploited.html

On This Page

Gogs Zero-Day Exploited in 700+ Instances