New research from Wiz reveals that Gogs is actively exploiting unpatched high-severity security vulnerabilities, with over 700 compromised instances accessible over the internet.
This flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwriting in the file update API of a Go-based self-hosted Git service. A fix for this issue is said to be currently in the works. The company said it discovered the zero-day flaw by chance in July 2025 while investigating a malware infection on a customer’s machine.
According to the vulnerability description on CVE.org, “Improper symbolic link handling in Gogs’ PutContents API could lead to local code execution.”
According to the cloud security company, CVE-2025-8110 is a bypass of a previously patched remote code execution flaw (CVE-2024-55947, CVSS score: 8.7) that allows an attacker to write files to arbitrary paths on the server and gain SSH access to the server. CVE-2024-55947 was addressed by Painter in December 2024.
Wiz said that the fix introduced by Gogs to resolve CVE-2024-55947 could be circumvented by taking advantage of the fact that Git (and therefore Gogs) allows the use of symbolic links within git repositories, and that those symbolic links can point to files and directories outside of the repository. Additionally, the Gogs API allows you to modify files outside of the regular Git protocol.
As a result, this failure to account for symbolic links could be exploited by an attacker to execute arbitrary code via a four-step process.
Create a standard git repository Commit a single symbolic link pointing to a sensitive target Write data to a symbolic link using the PutContents API so the system follows the link and overwrites the target file outside the repository Overwrites “.git/config” (especially sshCommand) to run arbitrary commands
The malware deployed in this campaign has been assessed to have a payload based on Supershell, an open source command and control (C2) framework commonly used by Chinese hacker groups, and is able to establish a reverse SSH shell to an attacker-controlled server (‘119.45.176’).[.]196 inches).
According to Wiz, the attackers behind the CVE-2025-8110 exploit left behind repositories created on customers’ cloud workloads (e.g. “IV79VAew/Km4zoh4s”) even though they could have taken steps to delete or mark them as private after infection. It added that this carelessness was indicative of a “slam and grab” style campaign.
There are approximately 1,400 exposed Gogs instances in total, and over 700 of them show signs of compromise, specifically the presence of random 8-character owner/repository names. All identified repositories were created around July 10, 2025.
“This suggests that a single attacker, or a group of attackers using the same tool, is responsible for all infections,” said researchers Gili Tikocinsky and Yaara Shuriki.
Given that this vulnerability has not been fixed, it is important that users disable open registration, limit Internet exposure, and scan for instances of repositories with random 8-character names.
This disclosure comes as Wiz warned that threat actors are targeting compromised GitHub Personal Access Tokens (PATs) as an expensive entry point to gain initial access to a victim’s cloud environment, as well as for lateral movement between clouds from GitHub to the cloud service provider (CSP) control plane.
The current issue is that an attacker with basic read permissions via PAT can use GitHub’s API code search to discover secret names embedded directly in the workflow’s YAML code. To further complicate matters, if the exploited PAT has write permissions, an attacker could potentially execute malicious code and remove any trace of malicious activity.
“The attackers leveraged the compromised PAT to discover GitHub Action Secrets names in the codebase and used them in newly created malicious workflows to execute code and obtain CSP secrets,” said researcher Shira Ayal. “Threat actors have also been observed to completely bypass action logs and leak secrets to webhook endpoints they control.”
Source link
