Executive Summary
In early 2024, security researchers revealed that attackers had actively exploited a zero-day vulnerability in Gogs, a popular self-hosted Git service, for several months. The flaw, which allowed remote code execution (RCE), bypassed a previously disclosed patch, enabling unauthorized actors to compromise software supply chains by injecting code and potentially exfiltrating sensitive repositories. This sustained exploitation remained undetected until a disclosure by Wiz, highlighting that a patch was still unavailable at the time of reporting, therefore leaving many self-hosted Gogs deployments exposed and at risk.
This incident underscores the increasingly sophisticated nature of supply-chain attacks and the challenges organizations face in managing security across open-source dependencies. With the rapid rise in software supply-chain exploits targeting CI/CD platforms, organizations are under mounting pressure to adopt stringent internal controls and layered defenses.
Why This Matters Now
The Gogs vulnerability remains unpatched, creating an urgent window of exposure for any organizations running self-hosted instances. Attackers are specifically targeting supply-chain infrastructure, which can ripple across development ecosystems and downstream users. Immediate mitigation and monitoring are critical to prevent widespread exploitation.
Attack Path Analysis
Attackers exploited an unpatched zero-day in self-hosted Gogs to gain initial access, leveraging remote code execution. After compromise, they likely escalated privileges in the environment to access sensitive functions. Through internal east-west movement, the threat actors probed for additional assets and credentials. Command and control was maintained via covert channels, possibly using encrypted outbound traffic. Data exfiltration occurred as attackers staged and transmitted repositories or sensitive data outside the organization. Ultimately, the attack led to intellectual property theft, supply chain risk, or further compromise, impacting business operations.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited a zero-day vulnerability in self-hosted Gogs to achieve remote code execution and initial foothold.
Related CVEs
CVE-2025-8110
CVSS 8.8A symlink bypass in Gogs' PutContents API allows authenticated users to overwrite files outside the repository, leading to remote code execution.
Affected Products:
Gogs Gogs – <= 0.13.3
Exploit Status:
exploited in the wildCVE-2024-55947
CVSS 8.8A path traversal vulnerability in Gogs allows a malicious user to write a file to an arbitrary path on the server, potentially gaining SSH access.
Affected Products:
Gogs Gogs – < 0.13.1
Exploit Status:
proof of conceptCVE-2024-54148
CVSS 8.8A path traversal vulnerability in Gogs allows a malicious user to commit and edit a crafted symlink file to a repository to gain SSH access to the server.
Affected Products:
Gogs Gogs – < 0.13.1
Exploit Status:
proof of conceptCVE-2025-47943
CVSS 6.3A stored cross-site scripting (XSS) vulnerability in Gogs allows client-side JavaScript code execution due to the usage of a vulnerable and outdated component: pdfjs-1.4.20.
Affected Products:
Gogs Gogs – <= 0.14.0+dev
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Exploitation for Privilege Escalation
Valid Accounts
Create Account
Impair Defenses
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Public-Facing Web Applications Protection
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Application Security and Vulnerability Management
Control ID: Applications: Continuous Vulnerability Management
NIS2 Directive – Supply Chain Security Measures
Control ID: Article 21.2(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical supply-chain vulnerability in Gogs Git service creates RCE bypass risks for development environments requiring zero trust segmentation and threat detection capabilities.
Information Technology/IT
Unpatched Gogs zero-day exploitation threatens IT infrastructure through supply-chain attacks, demanding enhanced visibility controls and east-west traffic security measures.
Financial Services
Git service vulnerabilities expose financial institutions to supply-chain compromise requiring PCI compliance controls, encrypted traffic protection, and anomaly detection systems.
Health Care / Life Sciences
Self-hosted Git service RCE bypass threatens healthcare data integrity, necessitating HIPAA-compliant segmentation, egress filtering, and multicloud visibility enforcement.
Sources
- Attackers Exploited Gogs Zero-Day Flaw for Monthshttps://www.darkreading.com/vulnerabilities-threats/attackers-exploited-gogs-zero-day-monthsVerified
- CVE-2025-8110: Gogs File Overwrite RCE Flawhttps://fidelissecurity.com/vulnerabilities/cve-2025-8110/Verified
- Unpatched Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploitedhttps://news.wyosupport.com/unpatched-gogs-zero-day-rce-cve-2025-8110-actively-exploited/Verified
- Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploitedhttps://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploitVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, egress enforcement, and real-time threat detection could have prevented or contained attacker movement throughout the Gogs zero-day exploit lifecycle. CNSF capabilities would restrict attacker lateral movement, enforce least privilege between workloads, block unauthorized data egress, and surface anomalous behavior for rapid remediation.
Control: Inline IPS (Suricata)
Mitigation: Malicious exploit attempts would have been detected and blocked at the perimeter.
Control: Zero Trust Segmentation
Mitigation: Movement from compromised workloads to privileged internal resources would have been prevented.
Control: East-West Traffic Security
Mitigation: Lateral traffic probing and unauthorized service-to-service connections would be detected or blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 channels and data staging attempts would have been blocked or alerted.
Control: Cloud Firewall (ACF)
Mitigation: Unauthorized file and repository transfers would be visible and preventable.
Rapid detection of abnormal behavior would limit attack dwell time and final harm.
Impact at a Glance
Affected Business Functions
- Version Control
- Software Development
- Continuous Integration
Estimated downtime: 5 days
Estimated loss: $50,000
Potential exposure of source code repositories, including proprietary code and sensitive information, due to unauthorized access and code execution.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Inline IPS and perimeter controls to inspect for and block exploitation of supply chain and zero-day vulnerabilities.
- • Implement Zero Trust segmentation and least privilege boundaries between workloads and namespaces to limit lateral movement in case of initial compromise.
- • Enforce egress security and DNS/FQDN filtering to detect and stop unauthorized outbound C2 and data exfiltration traffic.
- • Ensure real-time threat detection and anomaly response capabilities across all cloud networks and applications to enable rapid incident containment.
- • Centralize multi-cloud observability and automated policy enforcement to ensure compliance and continuously adapt to evolving supply chain risks.
