Listen to this Post
A severe security vulnerability in the self-hosted Git service Gogs is actively being exploited in the wild, raising alarms for organizations relying on the platform. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed real-world attacks. With the potential to allow remote code execution (RCE), the flaw poses a significant risk to systems worldwide, particularly those running older or unpatched versions of Gogs.
Understanding the Vulnerability
Tracked as CVE-2025-8110 and rated 8.7 on the CVSS v4.0 scale, the flaw originates from improper handling of symbolic links in Gogs’ PutContents API. Authenticated users can exploit this weakness to overwrite files outside of their repository, giving attackers the ability to manipulate critical system files and execute arbitrary code.
Researchers at Wiz discovered the vulnerability while investigating a malware infection. They noted that attackers were leveraging the flaw as a zero-day, circumventing protections implemented for a similar issue last year (CVE-2024-55947). By committing a symbolic link in a repository and interacting with it via the API, attackers can overwrite sensitive files such as the Git configuration file, where changes to sshCommand can directly lead to remote code execution.
Scope and Impact
Wiz reported that over 700 Gogs instances had already been compromised. According to Censys, there are currently 1,602 Gogs servers exposed online, with the largest concentrations in China, the US, and Germany. The ongoing exploitation underscores the urgency for administrators to take immediate action.
Although no official patch is currently available for CVE-2025-8110, the Gogs team has submitted code updates to the project’s main branch. Once new images are built, the latest and next-latest releases of Gogs are expected to include the fix. Meanwhile, attackers continue to deploy malware payloads linked to the Supershell C2 framework, with multiple waves of activity observed since July 2025.
Recommended Mitigations
CISA has instructed Federal Civilian Executive Branch agencies to implement defensive measures by February 2, 2026. For all organizations running Gogs, the following steps are advised immediately:
Disable open registration if not needed.
Restrict server access through a VPN or IP allow-list.
Monitor for unusual activity, such as repositories with random names or abnormal API calls.
The vulnerability affects Gogs versions up to 0.13.3, and any system running these releases should be treated as high risk until patched.
What Undercode Say:
The emergence of CVE-2025-8110 highlights a recurrent problem in self-hosted Git services: even minor misconfigurations can escalate into full system compromise when combined with sophisticated attack techniques. Symbolic link exploitation is not new, but the ability to bypass prior protections demonstrates how attackers adapt quickly to security patches.
Organizations relying on Gogs need to consider layered defenses, not just patching. Limiting API exposure, enforcing strict access controls, and active monitoring for unusual repository activity are crucial. The fact that thousands of servers remain publicly exposed indicates a broader awareness gap in the Git hosting community, which could lead to supply chain risks if attackers move laterally into developer environments.
The ongoing Supershell C2 campaigns reinforce that attackers are targeting infrastructure rather than individual endpoints, signaling a shift toward exploiting developer tools directly. This trend could accelerate attacks on CI/CD pipelines, particularly if symbolic link vulnerabilities remain unaddressed.
Another critical insight is the velocity of exploitation—within weeks of detection, hundreds of instances were already compromised. This underscores the importance of proactive monitoring and fast patch deployment, rather than reactive mitigation. Companies should also integrate threat intelligence feeds to detect patterns consistent with Supershell or other Git-targeted attacks.
Ultimately, CVE-2025-8110 is a stark reminder that developer tooling can become an attack vector, and secure configuration, access restrictions, and monitoring are as important as software updates themselves. Organizations must assume any exposed Gogs instance is a potential entry point for advanced attackers.
Fact Checker Results:
✅ CVE Details – Confirmed CVE-2025-8110 vulnerability and CVSS 8.7 rating.
✅ Exploit Evidence – Verified reports of real-world attacks on over 700 Gogs instances.
✅ Mitigation Recommendations – Align with CISA guidance and Wiz research findings.
Prediction:
🚨 Exploitation of CVE-2025-8110 will likely increase globally until patches are widely deployed.
⚡ Developers’ servers will become prime targets for lateral attacks in software supply chains.
🔒 Organizations that act quickly with access restrictions and monitoring will avoid major breaches, while slow adopters may face escalating ransomware or remote code execution incidents.
If you want, I can also create a visual timeline showing the waves of CVE-2025-8110 exploitation and patch progress to make this analysis more digestible. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
