A newly discovered and unpatched security vulnerability in Gogs is being actively exploited in the wild, with more than 700 compromised instances currently accessible over the internet. The findings were disclosed by Wiz following an investigation into a real world malware incident.
The vulnerability, tracked as CVE-2025-8110 with a CVSS score of 8.7, affects the file update API in Gogs, a Go based self hosted Git service. The flaw enables arbitrary file overwrite, which can be escalated to remote code execution. Wiz stated that the issue was unintentionally uncovered in July 2025 while analyzing a malware infection on a customer environment. A fix is reportedly under development, but no patch is currently available.
According to the vulnerability description published on CVE.org, improper handling of symbolic links within the PutContents API allows local code execution. Wiz further explained that CVE-2025-8110 effectively bypasses a previously patched vulnerability, CVE-2024-55947, which also carried a CVSS score of 8.7 and was addressed by the Gogs maintainers in December 2024.
The earlier fix failed to account for how Git handles symbolic links. Because Git repositories can contain symlinks that reference files outside the repository, and because Gogs allows file modification through its API outside the standard Git workflow, attackers can abuse this behavior to overwrite sensitive files on the underlying server.
Wiz detailed a four step exploitation chain used by attackers. First, a normal Git repository is created. Second, a symbolic link is committed that points to a sensitive file outside the repository. Third, the attacker uses the PutContents API to write data through the symlink, causing the target file to be overwritten. Finally, the attacker overwrites the .git/config file, specifically the sshCommand setting, to execute arbitrary commands and gain control of the server.
The malware observed in these attacks appears to be based on Supershell, an open source command and control framework commonly associated with Chinese threat actors. The payload establishes a reverse SSH connection to an attacker controlled server at 119.45.176[.]196.
Wiz noted that the attackers demonstrated a lack of operational hygiene by leaving behind the malicious repositories they created, such as those with names resembling random strings like IV79VAew or Km4zoh4s. These repositories were not deleted or marked private, suggesting a smash and grab style campaign rather than a stealth focused operation.
Researchers identified approximately 1,400 internet exposed Gogs instances, with more than 700 showing clear signs of compromise. A common indicator was the presence of repositories with random 8 character owner and repository names. All of these repositories were created around July 10, 2025, strongly suggesting that a single actor or multiple actors using the same tooling are responsible for the activity, according to Wiz researchers Gili Tikochinski and Yaara Shriki.
Because no patch is currently available, Wiz strongly recommends that administrators disable open registration, restrict internet exposure, and actively scan their instances for suspicious repositories with randomly generated names.
In a related disclosure, Wiz also warned about threat actors abusing leaked GitHub Personal Access Tokens as high value initial access vectors. With read level permissions, attackers can use the GitHub API to search workflow YAML files and identify secret names. If write permissions are available, attackers can execute malicious workflows and erase evidence of their activity.
Researcher Shira Ayal explained that attackers have been observed creating malicious GitHub Actions workflows to extract cloud service provider secrets and exfiltrate them to attacker controlled webhook endpoints, completely bypassing Action logs. This technique enables cross cloud lateral movement from GitHub into cloud control planes, significantly expanding the potential blast radius of a single leaked token.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
