A high-severity zero-day vulnerability in Gogs, a popular self-hosted Git service, is being actively exploited in the wild. Security researchers report that more than half of all internet-exposed Gogs instances show signs of compromise. The flaw enables attackers to overwrite arbitrary files on the server and ultimately execute code remotely, allowing full system takeover. With no patch currently available, organizations running Gogs face immediate risk and must take defensive action to reduce exposure.

Gogs is a lightweight, Go-based Git service widely used by organizations that prefer self-hosted version control infrastructure. Because it often runs with elevated privileges and integrates directly with development workflows, a compromise can quickly escalate from source code exposure to broader infrastructure access. This incident highlights the continued targeting of developer tools and supply-chain components by threat actors seeking high-impact entry points.

Cloud security firm Wiz discovered active exploitation of CVE-2025-8110 while investigating malware activity on a customer system. The vulnerability affects Gogs’ file update API and allows attackers to overwrite files outside of a repository.

Researchers identified approximately 1,400 exposed Gogs instances online. More than 700 of those showed evidence of compromise, including suspicious repositories with randomly generated eight-character names created around July 10, 2025. The scale and consistency of the activity suggest a coordinated campaign using shared tooling.

CVE-2025-8110 is a file overwrite flaw caused by improper handling of symbolic links in Gogs’ PutContents API. It effectively bypasses a previously patched remote code execution vulnerability (CVE-2024-55947).

Attackers exploit the issue through a four-step chain:

In observed attacks, adversaries deployed malware based on Supershell, an open-source command-and-control framework commonly associated with Chinese threat actors.

Successful exploitation grants attackers remote code execution and persistent access via SSH. From there, they can exfiltrate data, pivot to adjacent systems, or deploy additional malware. The presence of hundreds of compromised instances indicates a “smash-and-grab” campaign prioritizing speed and scale over stealth.

Developer infrastructure is increasingly targeted because it offers privileged access to source code, secrets, and deployment pipelines. An unpatched vulnerability in a core DevOps tool like Gogs creates cascading risk across development, CI/CD, and production environments.

Wiz researchers noted that attackers left compromised repositories publicly visible, an operational mistake that helped identify the campaign. This behavior suggests automation and opportunistic exploitation rather than highly tailored intrusions, but the impact remains severe.