Hundreds of Gogs Servers Compromised via Unpatched Zero-Day Vulnerability A critical zero-day vulnerability (CVE-2025-8110) in Gogs, a self-hosted Git service, has allowed attackers to execute remote code on exposed instances, compromising hundreds of servers. The flaw stems from a path traversal weakness in the PutContents API, enabling threat actors to bypass protections for a previously patched RCE bug (CVE-2024-55947) by exploiting symbolic links to overwrite sensitive system files. While Gogs versions patched for CVE-2024-55947 now validate path names, they fail to check symlink destinations. Attackers exploit this by creating repositories with symlinks pointing to critical files—such as Git’s sshCommand configuration—allowing arbitrary command execution when data is written via the API. Wiz Research discovered the vulnerability in July 2024 after investigating a malware infection on a customer’s exposed Gogs server. Their scan identified over 1,400 publicly accessible Gogs instances, with 700+ showing signs of compromise. All affected servers exhibited identical attack patterns, including repositories with random eight-character names created in the same timeframe, suggesting a single automated campaign. The deployed malware, built using Supershell—an open-source C2 framework—established reverse SSH shells, communicating with a command-and-control server at 119.45.176[.]196. Many exposed instances had open registration enabled by default, expanding the attack surface. Gogs maintainers were notified on July 17, acknowledging the flaw on October 30 while developing a patch. A second wave of attacks was observed on November 1, underscoring the urgency of mitigation. The vulnerability remains unpatched as of the latest disclosure.