Executive Summary

CRITICAL WARNING: A high-severity unpatched zero-day vulnerability, CVE-2025-8110, in the Gogs self-hosted Git service is under active exploitation. Security researchers at Wiz have discovered over 700 internet-accessible instances that have already been compromised. The vulnerability allows an unauthenticated attacker to achieve remote code execution by overwriting arbitrary files, enabling them to gain SSH access to the underlying server. A patch is not yet available. Organizations using Gogs are urged to take immediate action to mitigate this threat.

Vulnerability Details

CVE-2025-8110 is a file overwrite vulnerability in the file update API of the Gogs service, stemming from improper handling of symbolic links. It has been assigned a CVSS score of 8.7 (High).

This vulnerability is a bypass of a previously patched RCE flaw, CVE-2024-55947, which was addressed in late 2024. The new exploit allows a remote, unauthenticated attacker to write a file to an arbitrary path on the server. The primary exploitation path observed in the wild involves attackers using this flaw to write their own public key to the .ssh/authorized_keys file of a user running the Gogs service. This grants them persistent SSH access to the server.

Affected Systems

• All versions of the Gogs self-hosted Git service are presumed to be vulnerable until a patch is released.

Exploitation Status

The vulnerability is being actively exploited in the wild. The campaign appears to be a "smash-and-grab" operation focused on compromising as many servers as possible. The attackers are deploying a malware payload based on Supershell, an open-source command-and-control (C2) framework often associated with Chinese hacking groups. This payload establishes a reverse SSH shell, giving the attackers persistent remote access.

Impact Assessment

The impact of this vulnerability is critical. Successful exploitation provides an attacker with remote code execution capabilities, typically with the privileges of the user account running the Gogs service. By gaining SSH access, attackers can:

• Steal source code, intellectual property, and other sensitive data stored in Git repositories.
• Use the compromised server as a pivot point to attack other systems within the network.
• Inject malicious code into software projects, launching a supply chain attack.
• Utilize the server's resources for cryptocurrency mining or to launch further attacks.

Cyber Observables for Detection

• Unauthorized SSH Keys: Check the .ssh/authorized_keys file for all users, especially the user running the Gogs service, for any unfamiliar or unauthorized public keys.
• Suspicious Repositories: The attackers have been observed leaving behind the repositories they create on compromised systems. Look for newly created, unexpected repositories.
• Network Connections: Monitor for outbound SSH connections (reverse shells) to unknown IP addresses from your Gogs server.
• Gogs Logs: Analyze Gogs service logs for unusual file update API requests, particularly those involving symbolic links or path traversal sequences (../).

Detection Methods

1. Vulnerability Scanning: Use vulnerability scanners to identify Gogs instances in your environment. While a specific plugin for CVE-2025-8110 may not exist yet, identifying all Gogs deployments is the first step.
2. File Integrity Monitoring (FIM): Implement FIM on critical files like .ssh/authorized_keys to alert on any unauthorized modifications. This is a direct application of D3FEND System File Analysis.
3. Threat Hunting: Proactively hunt for the observables listed above. Create SIEM rules to alert on outbound SSH from the Gogs server to non-whitelisted destinations.

Remediation Steps

As there is no patch available at the time of this report, mitigation actions are critical.

1. Disconnect from Internet (Immediate Action): If possible, immediately take any internet-facing Gogs instances offline or restrict access to them to a small set of trusted IP addresses. This is the most effective way to prevent exploitation. This is a form of D3FEND Network Isolation.
2. Review for Compromise: Assume your Gogs instance is compromised. Follow the detection steps above to look for signs of an intrusion.
3. Monitor for Patch: Closely monitor the official Gogs project for the release of a security patch. Apply it as soon as it becomes available.
4. Compensating Controls: If the service cannot be taken offline, place it behind a Web Application Firewall (WAF) with strict rules to inspect and block malicious API requests. However, the effectiveness of this may be limited without a specific signature for the exploit.