Overview
- Tracked as CVE-2025-8110, the flaw bypasses a prior fix for CVE-2024-55947 and remains unpatched as of December 10, with exploitation ongoing after a July disclosure and October acknowledgment.
- Wiz counted about 1,400 internet-exposed Gogs servers and confirmed compromises on more than 700, a scale worsened by the default open-registration setting.
- Attackers commit a symlink in a new repository, use the PutContents API to write through it, and overwrite .git/config (sshCommand) to trigger remote code execution; repo-creation rights are typically enabled by default.
- Compromised hosts received a Supershell-based payload that contacted 119.45.176[.]196, and many showed telltale 8-character owner/repo names created around July 10.
- Defenders are urged to disable open registration, restrict exposure behind VPNs or allow-lists, and hunt for suspicious PutContents API use and randomly named repositories on versions up to 0.13.3.