Ethical Hacking News
Hackers have exploited a previously unpatched zero-day vulnerability in Gogs (CVE-2025-8110) to breach hundreds of servers, compromising over 700 instances. This attack highlights the importance of timely patching and prioritizing cybersecurity posture to prevent similar breaches.
Gogs experienced a significant cybersecurity breach due to an unpatched zero-day vulnerability (CVE-2025-8110). The vulnerability allows threat actors to bypass protections by using symbolic links to overwrite files outside the repository. Attackers can leverage this vulnerability to compromise systems by overwriting Git configuration files, specifically the sshCommand setting. A coordinated attack was detected with over 1,400 Gogs servers exposed online and more than 700 instances showing signs of compromise. The attackers used advanced tools and techniques, including Supershell, an open-source command-and-control framework. Delayed patching and response time have raised concerns about the effectiveness of Gogs' incident response procedures.
Gogs, a popular self-hosted Git service designed as an alternative to GitLab or GitHub Enterprise, has recently found itself at the center of a significant cybersecurity breach. According to recent reports, hackers have exploited an unpatched zero-day vulnerability in Gogs (CVE-2025-8110) to gain remote code execution on Internet-facing instances and compromise hundreds of servers. This attack highlights the critical importance of timely patching and the need for organizations to prioritize their cybersecurity posture.
The Gogs RCE vulnerability, stemming from a path traversal weakness in the PutContents API, allows threat actors to bypass previously implemented protections by using symbolic links to overwrite files outside the repository. While Gogs versions addressing the previously patched CVE-2024-55947 security bug now validate path names to prevent directory traversal, they still fail to validate the destination of symbolic links. This oversight enables attackers to create repositories containing symbolic links pointing to sensitive system files and then use the PutContents API to write data through the symlink, overwriting targets outside the repository.
Attackers can leverage this vulnerability to compromise systems by overwriting Git configuration files, specifically the sshCommand setting, which allows them to force target systems to execute arbitrary commands. This level of exploitation underscores the gravity of the situation and serves as a stark reminder of the importance of keeping software up-to-date with the latest security patches.
Researchers from Wiz Research discovered this vulnerability in July while investigating a malware infection affecting a customer's Internet-facing Gogs server. In total, the researchers found over 1,400 Gogs servers exposed online, with more than 700 instances showing signs of compromise. This alarming finding highlights the sheer scale of the attack and underscores the potential for significant damage if left unaddressed.
The compromised instances displayed identical patterns, including repositories with random eight-character names created within the same timeframe in July, suggesting a single actor or group using automated tools is behind the campaign. This suggests that the attackers employed a coordinated approach to their attacks, likely leveraging advanced tools and techniques to maximize their impact.
Further analysis revealed that the malware deployed was created using Supershell, an open-source command-and-control (C2) framework that establishes reverse SSH shells over web services. The malware communicated with a command-and-control server at 119.45.176[.]196, further indicating the sophistication of the attack and the resources available to the attackers.
Gogs maintainers were informed of the vulnerability on July 17, and they acknowledged the flaw on October 30, when they were still developing a patch. A second wave of attacks was observed on November 1. The delayed patching and response time have raised concerns about the effectiveness of Gogs' incident response procedures and the ability of its users to protect themselves against such attacks.
In light of this attack, it is essential for Gogs users to take immediate action to secure their instances. Disabling the open registration default setting and limiting access to the server using a VPN or an allow list can significantly reduce the risk of exploitation. Users who wish to check whether their instance has already been compromised should look for suspicious use of the PutContents API and for repositories with random 8-character names.
The attack on Gogs serves as a stark reminder of the importance of prioritizing cybersecurity and staying vigilant in the face of emerging threats. As the landscape of cyber attacks continues to evolve, it is essential that organizations remain proactive in addressing potential vulnerabilities and ensuring their systems are adequately protected against even the most sophisticated threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-Unpatched-Gogs-Zero-Day-to-Breach-700-Servers-A-Cautionary-Tale-of-Cybersecurity-Negligence-ehn.shtml
https://www.bleepingcomputer.com/news/security/unpatched-gogs-zero-day-rce-flaw-actively-exploited-in-attacks/
https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html
https://blog.rdpcore.com/zero-day-exploits-how-hackers-find-and-use-unknown-vulnerabilities
https://nvd.nist.gov/vuln/detail/CVE-2025-8110
https://www.cvedetails.com/cve/CVE-2025-8110/
https://nvd.nist.gov/vuln/detail/CVE-2024-55947
https://www.cvedetails.com/cve/CVE-2024-55947/
Published: Thu Dec 11 07:28:27 2025 by llama3.2 3B Q4_K_M
