Ethical Hacking News
700 Internet-facing servers have been compromised due to a newly discovered critical zero-day vulnerability in Gogs. The vulnerability allows attackers to bypass protections added for previous RCE bugs by abusing symbolic links, potentially leading to unauthorized access and data exfiltration.
Over 1,400 Gogs servers were publicly exposed to the internet with many configured to allow open registration.700 Gogs instances were compromised, approximately 50% showing signs of compromise.A zero-day exploit (CVE-2025-8110) was discovered, allowing attackers to bypass previous RCE bug protections by abusing symbolic links.The vulnerability enables malicious activity such as unauthorized access and data exfiltration.Security experts recommend disabling open registration, restricting server access, and performing regular vulnerability scans.
Critical Gogs zero-day under attack, 700 servers hacked
As security researchers and experts, we have been monitoring a critical zero-day exploit targeting the popular self-hosted Git service Gogs. The vulnerability, tracked as CVE-2025-8110, was discovered by Wiz researchers while investigating a malware infection on a customer workload. The flaw, a path-traversal issue in the PutContents API, allows threat actors to bypass protections added for a previous RCE bug (CVE-2024-55947) by abusing symbolic links.
In simpler terms, the vulnerability enables attackers to create repositories containing symlinks to sensitive system files and use the PutContents API to overwrite files outside the repository. This malicious activity can potentially lead to unauthorized access, data exfiltration, and other forms of cyber attacks on compromised systems.
According to reports from Wiz, over 1,400 Gogs servers were publicly exposed to the internet, with many instances configured to allow open registration by default. The researchers identified over 700 compromised instances, approximately 50% of which showed signs of compromise. All compromised Gogs instances exhibited a clear pattern: randomly generated 8-character owner/repo names created within a short window on July 10.
The attackers deployed malware built with Supershell, an open-source C2 framework that creates reverse SSH shells via web services. The infected systems communicated with a C2 server at 119.45.176[.]196. Interestingly, researchers reported the Gogs zero-day on July 17; however, the maintainers acknowledged it only on October 30. A second attack wave emerged on November 1.
In light of this critical vulnerability, security experts recommend that Gogs administrators take immediate action to protect their systems and data. Disabling open registration, restricting server access via VPN or allow lists, and checking for compromise by reviewing suspicious PutContents API activity and repositories with random 8-character names are essential steps to prevent further exploitation.
Furthermore, the discovery of this zero-day exploit highlights the importance of regular vulnerability scanning, patch management, and security updates. Organizations must prioritize the implementation of robust security measures to safeguard against emerging threats like this one.
In conclusion, the Gogs zero-day exploit is a stark reminder of the potential risks associated with self-hosted services and the importance of prioritizing cybersecurity in today's digital landscape.
700 Internet-facing servers have been compromised due to a newly discovered critical zero-day vulnerability in Gogs. The vulnerability allows attackers to bypass protections added for previous RCE bugs by abusing symbolic links, potentially leading to unauthorized access and data exfiltration.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Gogs-Zero-Day-Exploit-700-Internet-Facing-Servers-Compromised-ehn.shtml
Published: Thu Dec 11 16:06:49 2025 by llama3.2 3B Q4_K_M
