- A high-severity vulnerability in the self-hosted Git service Gogs is actively exploited, affecting over 700 internet-accessible instances.
- The flaw, CVE-2025-8110, enables arbitrary file overwrite via symbolic link mishandling, leading to remote code execution.
- The exploit bypasses a previous fix for CVE-2024-55947, leveraging Gogs API and Git symbolic links to overwrite sensitive files.
- Attackers deploy Supershell-based Malware to establish reverse SSH shells to their servers.
- Users are advised to disable open registration, restrict internet exposure, and scan for suspicious repositories until a patch is available.
A critical unpatched security flaw in the Go-based self-hosted Git service Gogs has been discovered to be under active exploitation as of mid-2025. The vulnerability, tracked as CVE-2025-8110 and rated with a CVSS score of 8.7, allows attackers to overwrite arbitrary files on affected servers. Over 1,400 exposed instances exist online, with more than 700 showing signs of compromise, according to findings from security researchers at Wiz.
This vulnerability arises from improper handling of symbolic links in the PutContents API of Gogs, enabling local code execution. It effectively bypasses a patch implemented in December 2024 for CVE-2024-55947, which previously addressed remote code execution but did not account for symbolic link exploitation. Attackers exploit this by creating a git repository with a symbolic link targeting sensitive files, then use the API to overwrite those targets outside the repository. This process allows modification of the “.git/config” file, specifically the sshCommand, to execute arbitrary server commands.
The malware used in these attacks is based on Supershell, an open-source command-and-control (C2) framework often linked to Chinese Hacking groups. It establishes reverse SSH shells connecting to attacker-controlled servers, such as the IP address “119.45.176[.]196”. Researchers noted that the attackers left behind the created repositories, which feature random 8-character owner and repository names, suggesting a rapid, opportunistic campaign.
Currently, there is no official fix for CVE-2025-8110. Users of Gogs are urged to disable open-registration features, reduce exposure to the internet, and scan for repositories matching the compromise profile. The vulnerability was initially found in July 2025 during the investigation of a malware infection on a customer system.
Separately, there is a growing concern as threat actors increasingly exploit leaked GitHub Personal Access Tokens (PATs) to gain initial access to cloud environments. These tokens can be abused to locate secret keys embedded in GitHub workflow files and execute malicious code. According to researcher Shira Ayal, attackers have used compromised PATs to discover GitHub Action secrets and utilize them for further cloud service provider credential access, while evading detection through covert exfiltration techniques.
For more details about the exploit and mitigation, refer to the original Wiz report and the CVE description on CVE.org.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Solana (SOL) Price Crashes Despite Fed Rate Cut, Market Worries
- How ChipForge may Quietly Become the Launchpad for a New Generation of Low-Power Edge-AI Silicon
- State Street, Galaxy, Ondo Launch Tokenized Liquidity Fund on Solana
- Gladinet Flaw: Hard-Coded Keys Enable Remote Code Execution Exploit
- Tom Lee Says Crypto Still in 1996 Era, Big Price Surge Ahead
