Gogs 0-Day Actively Exploited to Compromise Over 700 Servers

Security researchers have identified an active zero-day vulnerability in Gogs, a widely used self-hosted Git service.

The flaw has already resulted in the compromise of more than 700 servers publicly exposed on the internet.

As of early December 2025, no official patch is available to mitigate this threat, leaving thousands of instances vulnerable to remote attacks.

Symlink Bypass Vulnerability

The vulnerability, tracked as CVE-2025-8110, allows bypassing a previously patched issue, CVE-2024-55947.

The original flaw allowed path traversal, which the maintainers attempted to fix by implementing stricter input validation on file paths.

However, this new zero-day exploits a failure to validate the destination of symbolic links.

According to Wiz, attackers with repository creation permissions can exploit this weakness by uploading a symbolic link pointing to a location outside the repository.

By using the API to write data to that symlink, they can overwrite sensitive system files.

In observed attacks, threat actors are overwriting SSH configuration files to force the system to execute arbitrary commands, resulting in complete Remote Code Execution (RCE).

The ongoing campaign is highly automated. Compromised servers exhibit specific artifacts, including repositories with random 8-character names created within a short timeframe.

The investigation revealed that approximately 50% of all public-facing Gogs instances observed by researchers showed signs of infection.

The threat actors are deploying the Supershell framework, an open-source tool used to establish reverse SSH shells.

This payload enables attackers to maintain persistence and remotely control the compromised servers via a Command and Control (C2) server.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.