Unpatched Gogs Zero-Day Exploited in Recent Cyber Attacks

Wiz has identified an active exploitation of a critical vulnerability in Gogs, a self-hosted Git service, known as CVE-2025-8110. This flaw allows attackers to overwrite files due to improper handling of symbolic links, enabling them to execute arbitrary code. Discovered accidentally in July 2025, this vulnerability circumvents a previous patch for CVE-2024-55947, which aimed to prevent remote code execution by restricting file placement on servers.

The exploitation involves using symbolic links to execute code through a four-step process, leveraging the Gogs API's ability to modify files outside the standard Git workflow. The malware involved appears to be derived from Supershell, a tool associated with Chinese hacking groups, used to establish reverse SSH shells.

Wiz found over 700 compromised Gogs systems, with repositories featuring random 8-character names, indicating a widespread attack likely orchestrated by a single entity. With no official fix available, users are advised to disable open registration, restrict internet access, and monitor for suspicious repositories.

Additionally, hackers are exploiting leaked GitHub Personal Access Tokens (PATs) to infiltrate cloud environments, using GitHub's code search to locate secret names and execute malicious code. This tactic allows them to extract cloud service provider secrets and evade detection by bypassing Action logs.

The report highlights the increasing sophistication of cloud threats and the challenges of community patching, emphasizing the need for vigilance and proactive security measures.

Stay secure — stay Wavasec. 🔐