A major zero-day vulnerability is actively being exploited against Gogs, a widely used self-hosted Git service, with no fix available yet. Security researchers from Wiz report that over 700 Gogs installations have been compromised in ongoing campaigns, describing the zero-day as an “accidental” discovery made in July while examining malware on an infected machine.
In a Wednesday blog, Wiz researchers Gili Tikochinski and Yaara Shriki explained that the threat actor leveraged an as-yet-unknown flaw to gain access to exposed instances. They responsibly notified Gogs maintainers, who are attempting to develop a fix, but exploitation continues in the wild.
The vulnerability is tracked as CVE-2025-8110. Any Gogs server running version 0.13.3 or earlier that is exposed to the internet and has open-registration enabled (the default setting) is at risk.
CVE-2025-8110 effectively bypasses a previously patched issue (CVE-2024-55947) that allowed authenticated users to overwrite files outside the repository, enabling remote code execution (RCE). The earlier RCE was identified by Manasseh Zhou.
Wiz notes that the previous fix did not consider symbolic links, which can point outside a repository. Gogs, built with Go, enables users to host Git repositories on their own hardware or cloud services rather than using third-party platforms like GitHub.
Symbolic links (symlinks) can reference files or directories outside a repository, and the Gogs API permits file modifications outside the standard Git workflow. The prior patch failed to address this form of symlink abuse, allowing attackers to exploit the flaw and remotely run malicious code through a four-step process that Wiz says is “trivial” for anyone with repository creation rights—rights that are enabled by default.
The four-step chain is as follows:
- The attacker creates a normal Git repository.
- They add a single symbolic link that points to a sensitive target.
- Through the PutContents API, they write data to the symlink, which the system follows to overwrite the target file outside the repository.
- By altering the .git/config (specifically the sshCommand), the attacker can instruct the system to execute arbitrary commands.
Approximately 1,400 Gogs instances are publicly accessible, and Wiz confirms that more than 700 have been compromised. All observed cases show an eight-character random owner/repo name created on July 10 and a payload that employs the Supershell remote command-and-control framework.
While the researchers have not attributed the attacks to a specific group, Shriki suggested to The Register that threat actors using Supershell appear to operate from Asia, based on their observations.
What attackers can do with access remains unclear. In environments Wiz could monitor, malware was removed quickly, so no post-exploitation activity was seen; limited visibility into other compromised servers exists.
The Register has sought comment from GitHub about a timeline for a fix and will provide updates. In the meantime, Wiz urges disabling open-registration if it isn’t needed and reducing internet exposure by hosting self-hosted Git services behind a VPN.
Additionally, watch for newly created repositories with random eight-character names or unusual use of the PutContents API.
Wiz published a full set of indicators of compromise to help administrators detect and respond to this threat.
