How Attackers Exploited CVE-2025-8110: The Gogs Zero-Day Breach Explained

How Attackers Exploited CVE-2025-8110: The Gogs Zero-Day Breach Explained

Alex Cipher's Profile Pictire Alex Cipher 6 min read

A single overlooked detail in open-source software can open the floodgates to widespread compromise, as demonstrated by the recent exploitation of CVE-2025-8110 in Gogs—a popular self-hosted Git service. This zero-day vulnerability, rooted in the mishandling of symbolic links within the PutContents API, allowed attackers to overwrite critical files outside the intended directory, leading to remote code execution and, in many cases, full server takeover. The scale of the breach is staggering: over 700 Gogs servers were compromised in a matter of weeks, with attackers leveraging automation and default open registration settings to orchestrate a highly coordinated campaign (BleepingComputer).

What sets this incident apart is not just the technical ingenuity of the exploit, but the attackers’ use of open-source command-and-control frameworks like Supershell to maintain persistent access. The campaign’s rapid escalation—fueled by delayed patch development and widespread exposure—serves as a cautionary tale for organizations relying on open-source tools without robust security controls. As the cybersecurity landscape continues to evolve, this breach underscores the importance of proactive vulnerability management and the dangers of default configurations left unchecked (BleepingComputer).

How the Gogs Zero-Day Was Exploited: A Deep Dive into CVE-2025-8110

Technical Mechanism of the Exploit

CVE-2025-8110 is a remote code execution (RCE) vulnerability in Gogs, a self-hosted Git service written in Go. The flaw arises from improper handling of symbolic links (symlinks) in the PutContents API, which is used for writing content to files within a repository. While previous vulnerabilities, such as CVE-2024-55947, had been addressed by validating path names to prevent directory traversal, CVE-2025-8110 bypasses these protections by failing to check the destination of symlinks. This oversight allows attackers to create repositories containing symlinks that point to files outside the intended directory scope (BleepingComputer).

When an attacker leverages the PutContents API to write data to a file through such a symlink, the write operation is executed on the file outside the repository, effectively enabling arbitrary file overwrite on the server. This is particularly dangerous when sensitive configuration files are targeted, as it can result in full system compromise.

The exploitation process typically involves the following steps:

  1. Repository Creation with Symlinks: The attacker creates a new repository and includes symlinks that point to sensitive system files or configuration files outside the repository’s directory tree.
  2. API Abuse: Using the PutContents API, the attacker writes arbitrary data through the symlink, overwriting the target file.
  3. Command Execution: By overwriting files such as the Git configuration file and modifying settings like sshCommand, the attacker can force the system to execute arbitrary shell commands upon subsequent Git operations.

This chain of actions enables remote code execution with the privileges of the Gogs process, which, depending on the deployment, can lead to full server takeover.

Attack Campaign Characteristics and Patterns

The exploitation campaign targeting CVE-2025-8110 was notable for its automation and scale. According to research by Wiz, over 1,400 Gogs servers were discovered to be publicly exposed on the internet, with more than 700 showing signs of compromise as of July 2025 (BleepingComputer). The attackers exhibited several distinct operational patterns:

  • Automated Repository Creation: Compromised servers consistently contained repositories with randomly generated eight-character names, all created within a narrow time window. This pattern strongly suggests the use of automated tooling for mass exploitation.
  • Uniform Attack Artifacts: The identical nature of the artifacts—such as the structure and naming of malicious repositories—across hundreds of compromised instances points to a single threat actor or group orchestrating a coordinated campaign.
  • Open Registration Abuse: Many Gogs instances were configured with open registration enabled by default, which allowed attackers to easily create new accounts and repositories without any administrative oversight, significantly broadening the attack surface.

The campaign’s scale and uniformity indicate a high degree of automation and planning, with the attackers leveraging the default configurations of Gogs to maximize their reach.

Payload Delivery and Post-Exploitation Activities

Once the attackers achieved code execution on the target Gogs servers, they deployed malware to establish persistent remote access. The primary tool identified in these attacks was Supershell, an open-source command-and-control (C2) framework designed to create reverse SSH shells over web services (BleepingComputer).

Key aspects of the post-exploitation phase include:

  • Supershell Deployment: The malware, built using Supershell, enabled the attackers to maintain a stealthy and flexible foothold on compromised servers by tunneling command execution through encrypted SSH connections.
  • C2 Infrastructure: Infections were observed communicating with a command-and-control server at the IP address 119.45.176[.]196, allowing attackers to issue commands, exfiltrate data, and potentially pivot to other systems within the victim’s network.
  • Persistence Mechanisms: By overwriting Git configuration files and other system files, attackers could ensure that their malicious commands would be executed repeatedly, even after server reboots or service restarts.

This post-exploitation strategy provided attackers with robust, ongoing access to compromised infrastructure, increasing the risk of further lateral movement and data theft.

Timeline of Discovery, Disclosure, and Exploitation

The timeline surrounding CVE-2025-8110 highlights the challenges of vulnerability management in open-source projects:

  • Initial Discovery: Wiz Research identified the vulnerability in July 2025 while investigating a malware infection on a customer’s internet-facing Gogs server.
  • Responsible Disclosure: The flaw was reported to Gogs maintainers on July 17, 2025. The maintainers acknowledged the report on October 30, 2025, but at that time, a patch was still under development.
  • Second Wave of Attacks: Despite the disclosure, a second wave of exploitation was observed on November 1, 2025, indicating that attackers were actively monitoring the vulnerability landscape and accelerating their campaigns before a fix could be released (BleepingComputer).

This sequence underscores the importance of rapid response and patch development, especially for widely deployed open-source services.

Recommendations for Mitigation and Detection

In response to the ongoing exploitation of CVE-2025-8110, security researchers and Gogs maintainers have issued several urgent recommendations:

  • Disable Open Registration: Administrators are strongly advised to turn off the default open registration setting to prevent unauthorized account creation and repository manipulation.
  • Restrict Server Access: Limiting access to Gogs servers via VPNs or IP allow lists can significantly reduce the attack surface, especially for instances exposed to the public internet.
  • Monitor for Indicators of Compromise: Signs of exploitation include suspicious use of the PutContents API and the presence of repositories with random eight-character names created in July 2025. Administrators should audit server logs and repository lists for these indicators.
  • Patch Deployment: Once a fix becomes available, prompt application of security updates is critical to close the vulnerability and prevent further exploitation.
  • Network Segmentation: Isolating Gogs servers from sensitive internal resources can help contain the impact of a successful compromise.

These measures, while not exhaustive, provide a practical starting point for organizations seeking to mitigate the risks associated with this zero-day vulnerability.

Note: All referenced information is based on the latest reporting as of December 11, 2025. For further details, see the original article on BleepingComputer.

Final Thoughts

The Gogs zero-day saga is a stark reminder that even trusted open-source platforms can become prime targets when security best practices are overlooked. Attackers exploited a subtle flaw to breach hundreds of servers, demonstrating how automation and default settings can amplify risk at scale. For organizations, the lessons are clear: disable open registration, restrict public access, and monitor for unusual activity—especially when a patch is still in the works. Above all, this incident highlights the need for rapid, transparent communication between researchers, maintainers, and users to outpace threat actors in the race to secure our digital infrastructure (BleepingComputer).

References

Related Articles