A high-severity unpatched vulnerability in Gogs has been actively exploited, with researchers identifying over 700 compromised instances exposed online. Tracked as CVE-2025-8110 with a CVSS score of 8.7, the flaw affects the file update API of the Go-based self-hosted Git service. Wiz discovered the zero-day vulnerability while investigating a malware infection on a customer’s system in July 2025. The issue arises from improper symbolic link handling in the PutContents API, which allows attackers to execute arbitrary code on affected systems. A fix for the flaw is reportedly in development, though no official patch has been released yet.
CVE-2025-8110 acts as a bypass for a previous remote code execution flaw, CVE-2024-55947, which was addressed by Gogs in December 2024. Researchers explained that the fix for CVE-2024-55947 could be circumvented because Git allows symbolic links in repositories that can point to files outside the repository, combined with API functionality that enables file modifications outside standard Git operations. Exploitation involves creating a repository with a symbolic link to a sensitive target, using the PutContents API to overwrite files outside the repository, and finally modifying the .git/config file to execute arbitrary commands.
The malware deployed in these attacks is based on Supershell, an open-source command-and-control framework, which establishes reverse SSH shells to attacker-controlled servers. Wiz researchers observed that attackers left behind the repositories they created on cloud workloads, indicating a “smash-and-grab” campaign style. Around 1,400 Gogs instances were found exposed, with over 700 showing signs of compromise, including randomly named repositories consisting of eight-character sequences. Researchers concluded that a single actor or a group using identical tooling is likely responsible for the infections.
In addition to targeting Gogs, threat actors are exploiting leaked GitHub Personal Access Tokens as a method to gain access to cloud environments and move laterally between cloud service providers. With even basic read permissions, attackers can use GitHub API code search to identify secret names in workflow YAML files. PATs with write permissions allow malicious workflows to be executed and traces erased. Researchers reported that threat actors exfiltrate secrets to attacker-controlled webhooks, bypassing GitHub Action logs entirely. Wiz advised users to disable open-registration, restrict public exposure of instances, and actively scan for suspicious repositories to mitigate ongoing risk, highlighting the importance of vigilance in self-hosted Git deployments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
