A serious, still-unpatched vulnerability in Gogs is being actively exploited, and researchers at Wiz say more than 700 internet-facing servers have already been compromised.
The bug, tracked as CVE-2025-8110 with a severity score of 8.7, stems from a file-overwrite issue in Gogs’ file update API. There’s no fix yet, although the maintainers are working on one. Wiz says it stumbled onto the zero-day in July 2025 while investigating a malware infection for a customer.
At the core of the problem is how Gogs handles symbolic links. According to CVE.org, improper symlink handling in the PutContents API can allow local code execution. In practice, it turns out to be even more dangerous: CVE-2025-8110 essentially bypasses a patch released for a previous 2024 remote code execution flaw (CVE-2024-55947). That earlier issue allowed attackers to write arbitrary files to the server and gain SSH access.
Wiz found that the 2024 fix didn’t fully account for symlinks inside Git repositories. Since Git (and by extension Gogs) allows symlinks that point outside the repo, and since the Gogs API lets users modify files directly, an attacker can abuse the API to overwrite sensitive files on the server.
The exploitation flow is straightforward:
1. Create a normal Git repository
2. Add a symlink that points to a sensitive file on the server
3. Use the PutContents API to write to the symlink, causing the write to hit the real file outside the repo
4. Overwrite .git/config — particularly the sshCommand setting — to execute arbitrary commands
Once that chain completes, the attacker can run code on the host.
Supershell-Based Malware Deployed
During the incident that led to discovery of the flaw, Wiz found malware based on Supershell, an open-source C2 framework frequently used by Chinese threat actors. The payload opened a reverse SSH connection to an attacker-controlled server at 119.45.176[.]196.
The intruders didn’t exactly cover their tracks. They left behind the repositories they created with names like IV79VAew and Km4zoh4s instead of deleting them or marking them private. Wiz says this kind of sloppiness suggests a broad, smash-and-grab campaign rather than a slow, stealthy operation.
Out of roughly 1,400 exposed Gogs instances, more than 700 show signs of compromise. Nearly all of the suspicious repositories share the same pattern: random 8-character names created around July 10, 2025, indicating a single actor or a coordinated group using identical tooling.
With no official patch available, Gogs users are urged to:
1. Disable open registration
2. Restrict internet exposure
3. Look for repositories with random 8-character names
Attackers Targeting Leaked GitHub PATs as Well
Wiz also warns that threat actors are increasingly going after leaked GitHub Personal Access Tokens (PATs) as a way to break into cloud environments.
The problem: even a read-only PAT can access GitHub’s API to search code for the names of GitHub Actions secrets. And if the compromised PAT has write permissions, attackers can create malicious workflows, execute code inside CI/CD pipelines, harvest cloud provider credentials, and quietly exfiltrate secrets without leaving logs.
In one set of attacks, threat actors created new GitHub Actions workflows that sent secrets to a webhook they controlled completely skipping GitHub’s built-in logging.
Source: The Hacker News
December 11, 2025
December 11, 2025
December 11, 2025
December 11, 2025
September 08, 2025
December 02, 2025
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
