Back to News
Market Impact: 0.35

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited

GTLBFFIV
Cybersecurity & Data PrivacyTechnology & Innovation
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited

Wiz Research discovered an active zero-day in Gogs (CVE-2025-8110) that leverages a symbolic-link bypass of a previously patched RCE to let authenticated users overwrite files outside repositories and achieve remote code execution; maintainers have acknowledged the issue but a patch was not available as of Dec. 10, 2025. Wiz’s scans found ~1,400 internet-exposed Gogs instances and confirmed 700+ compromises exhibiting an automated “smash-and-grab” pattern tied to Supershell C2 malware, with exploitation trivial where repository-creation or open-registration (the default) is enabled. The flaw enables overwriting sensitive files (e.g., .git/config) to force command execution, posing material risk to self-hosted Git deployments and cloud workloads; immediate mitigations include disabling open registration, restricting internet exposure (VPN/IP allow-lists), and monitoring for random 8-character repos and anomalous PutContents API activity.

Analysis

Wiz Research discovered an active zero-day in the self-hosted Git service Gogs (CVE-2025-8110) that leverages a symbolic-link bypass of a previously patched RCE (CVE-2024-55947), allowing authenticated users to overwrite files outside a repository and achieve remote code execution; Wiz found ~1,400 internet-exposed Gogs instances and confirmed 700+ compromised instances, with active exploitation continuing and no available patch as of Dec 10, 2025. The exploit chain is trivial for any account with repository-creation rights (default behavior with open-registration): an attacker commits a symlink to a sensitive target, uses the PutContents API to write through the link and can overwrite .git/config (notably sshCommand) to force arbitrary command execution. Evidence shows an automated “smash-and-grab” campaign beginning July 10 (repositories with random 8-character names), a second wave Nov 1, and payloads tied to a Supershell C2 framework (C2 server 119.45.176.196) using UPX and garble obfuscation. The incident creates material operational risk for exposed cloud and on-premise workloads, elevates demand for runtime detection and remediation (Wiz highlights agentless YARA and runtime sensors), and leaves immediate mitigation actions (disable open-registration, restrict internet exposure, monitor PutContents API and random repo creation) as critical short-term controls while maintainers develop a patch.

AllMind AI Terminal

AI-powered research, real-time alerts, and portfolio analytics for institutional investors.

Request a Demo

Market Sentiment

Overall Sentiment

moderately negative

Sentiment Score

-0.55

Ticker Sentiment

FFIV0.00
GTLB0.00

Key Decisions for Investors

  • Audit and require portfolio companies to confirm whether they run internet-exposed Gogs (versions <=0.13.3) and ensure open-registration is disabled immediately or instances are taken behind VPN/IP allow-lists
  • Monitor vendor- and customer-impact disclosures from companies with large self-hosted Git footprints (including those listed in the article's entity extraction) and consider reducing exposure to firms that cannot demonstrate rapid remediation or adequate detection controls
  • Increase tactical exposure to cybersecurity vendors with cloud-workload runtime detection and agentless malware signatures, as demand for such controls is likely to rise given the scale (700+ compromises) and active exploitation
  • Use operational indicators (patch release, drop in confirmed compromised instances, disappearance of random 8-character repos, and PutContents API anomalies) as triggers to reassess positions and hedges