Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited

216.73.216.6

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited

· Published 10/12/2025 18:35 · Modified 21/12/2025 18:57

Essential information

Published: 10/12/2025 18:35
Modified: 21/12/2025 18:57
Tags: 2025-12-10 CVE-2024-55947 CVE-2025-8110 cloud security git service gogs rce supershell symlink bypass vulnerability zero-day
Related entities: 6 vulnerabilities (cve), 11 techniques (mitre), 1 malware

Description

A zero-day vulnerability in Gogs, a popular self-hosted Git service, has been discovered and is being actively exploited. The flaw, identified as CVE-2025-8110, is a symlink bypass of a previously patched RCE vulnerability. It allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution. Over 700 compromised instances have been identified on the internet. The vulnerability affects Gogs servers (version <= 0.13.3) exposed to the internet with open-registration enabled. The attack chain involves creating a repository with a symbolic link, then using the PutContents API to overwrite sensitive files. The malware used in the attacks is based on the Supershell framework, designed for establishing reverse SSH shells.