Back to News
Market Impact: 0.32

Hackers exploit unpatched Gogs zero-day to breach 700 servers

GTLB
Cybersecurity & Data PrivacyTechnology & Innovation
Hackers exploit unpatched Gogs zero-day to breach 700 servers

A zero-day path-traversal vulnerability in self-hosted Git service Gogs (CVE-2025-8110) has been exploited to achieve remote code execution by abusing the PutContents API and symbolic links to overwrite files outside repositories (notably git config sshCommand), enabling attackers to run arbitrary commands; Wiz Research found the issue in July while investigating infections and tied the campaign to malware built on the Supershell C2 framework (contacting 119.45.176[.]196). In an external scan Wiz identified over 1,400 Internet-exposed Gogs instances with more than 700 showing identical signs of compromise—random eight-character repos created in July—suggesting an automated single actor, with a second wave observed Nov. 1 and maintainers only acknowledging the flaw Oct. 30 while a patch was still in development. Operators are urged to disable Gogs’ open registration default, restrict access via VPN or allow lists and hunt for PutContents abuse and random 8-character repositories; the incident highlights material operational and supply‑chain risk from widely exposed self-hosted code platforms.

Analysis

CVE-2025-8110 is a zero-day path-traversal remote code execution vulnerability in the self-hosted Git service Gogs that abuses the PutContents API and symbolic links to overwrite files outside repositories, enabling attackers to alter Git configuration (notably sshCommand) and execute arbitrary commands. The flaw circumvents earlier fixes for CVE-2024-55947 because while path names are validated, the destination of symbolic links is not, permitting writes through symlinks to sensitive system files. Wiz Research discovered the issue in July while investigating an infection and found more than 1,400 Internet-exposed Gogs servers with over 700 showing identical compromise indicators—random eight-character repositories created in July—pointing to an automated single actor; deployed malware used the open-source Supershell C2 and contacted 119.45.176[.]196. The researchers reported the bug to Gogs on July 17, maintainers acknowledged it on Oct. 30 while a patch was in development, and a second wave of attacks was observed on Nov. 1, underscoring active exploitation. Operationally, the incident creates immediate remediation priorities for operators (disable open registration, restrict access via VPN/allow lists, hunt for PutContents abuse and 8-character repos) and raises supply-chain and enterprise code-hosting risk that can generate negative market sentiment for adjacent technology providers and customers while patches and forensics are ongoing.

AllMind AI Terminal

AI-powered research, real-time alerts, and portfolio analytics for institutional investors.

Request a Demo

Market Sentiment

Overall Sentiment

strongly negative

Sentiment Score

-0.68

Ticker Sentiment

GTLB0.00

Key Decisions for Investors

  • Assess portfolio companies and suppliers for use of self-hosted Gogs and require immediate mitigations (disable open registration, restrict access to VPN/allow lists) given the reported 1,400 exposed instances and 700+ compromises
  • Monitor Gogs maintainer disclosures and proof-of-patch validation before reducing operational risk provisions; treat the Oct. 30 acknowledgement and Nov. 1 second wave as indicators of ongoing exploitation
  • Avoid conflating this Gogs-specific flaw with GitLab but monitor GTLB for potential reputational or market contagion and be prepared to hedge short-term positions if analyst commentary or customer churn emerges
  • Prioritize cyber-risk engagements: increase intrusion detection/hunting for PutContents API abuse and random 8-character repositories, and evaluate cyber insurance and vendor-security exposure across portfolio companies