700+ self-hosted Gits battered in 0-day attacks with no fix imminent
Summary
Attackers are actively exploiting a zero-day vulnerability in Gogs (tracked as CVE-2025-8110). Wiz researchers discovered the flaw while analysing malware on an infected machine and responsibly disclosed it to Gogs maintainers; a patch is not yet available and exploitation continues.
The bug affects internet-exposed Gogs servers (version 0.13.3 and earlier) with open-registration enabled (the default). It effectively bypasses a prior fix (CVE-2024-55947) by abusing symbolic links and the PutContents API to overwrite files outside a repository, enabling remote code execution by changing .git/config (specifically sshCommand).
Wiz found roughly 1,400 internet-exposed Gogs instances; more than 700 were confirmed compromised. Compromised repos share an 8-character random owner/repo created on 10 July and a payload using the Supershell command-and-control framework. Wiz published indicators of compromise and recommended mitigations.
Key Points
- CVE-2025-8110 is an active zero-day in Gogs allowing remote code execution via symlink abuse and the PutContents API.
- Vulnerable installs: Gogs 0.13.3 and earlier, internet-exposed with open-registration (default) enabled.
- Wiz confirmed >700 out of ~1,400 exposed instances have been compromised; payloads used Supershell C2.
- Exploit steps are trivial for any user with repo-creation permissions: create repo with symlink → use PutContents to overwrite target → overwrite .git/config to run arbitrary commands.
- Gogs maintainers are working on a fix but no patch is available yet; active exploitation continues.
- Immediate mitigations: disable open-registration if not needed; restrict access (VPN/firewall); monitor for new 8-character repos and unexpected PutContents API calls.
Why should I read this?
If you run self-hosted Git (especially Gogs), this is not just another warning — it’s the real deal. Over half of exposed instances were hit, the exploit is easy for default installs, and there’s no patch yet. Read this so you know what to lock down right now.
Context and Relevance
This ties into a broader trend of attackers targeting self-hosted services with easy-to-exploit defaults. The incident reuses Supershell C2 (previously linked to high-profile intrusions) and demonstrates how incomplete fixes (here, symlink handling) can reintroduce critical RCEs.
Organisations that value supply-chain security, host internal code, or use self-managed DevOps tooling should treat this as urgent: default settings and internet exposure are high-risk. Wiz released full IoCs — run them against your estate and consider network isolation and temporary feature lockdowns until a patch lands.
Author style
Punchy: This is urgent for sysadmins and devops teams — the exploit is simple, the impact high, and many defaults make it trivial. If you care about keeping internal code and build systems safe, pay attention to the details and act now.