Executive Summary
In July 2025, more than 700 internet-exposed instances of Gogs, a popular self-hosted Git service, were compromised via exploitation of an unpatched zero-day vulnerability (CVE-2025-8110). Threat actors took advantage of improper symbolic link handling in the file update API, enabling arbitrary file overwrite and remote code execution. Attackers deployed Supershell-based malware through a multi-step process to gain server access, leaving behind uniquely-named repositories and operating in a 'smash-and-grab' campaign style. The campaign exploited a previously patched flaw (CVE-2024-55947) bypass, emphasizing the importance of patch management and reducing attack surface exposure for critical developer infrastructure.
This incident is highly relevant as it highlights an ongoing surge in attacks targeting developer and DevOps tools, exposing how rapidly adversaries adapt to security patch cycles and leverage weaknesses in open-source environments. GIT system supply chain risks and attacker agility mandate urgent focus on threat detection, cloud workload security, and privileged access management.
Why This Matters Now
This attack underscores how quickly threat actors weaponize newly discovered flaws—often within weeks of identification—to compromise critical software supply chain infrastructure. The absence of an available patch for CVE-2025-8110 and the scale of impacted cloud workloads make immediate defensive action and monitoring urgent for all organizations relying on Gogs or similar DevOps tooling.
Attack Path Analysis
Attackers exploited an unpatched zero-day in public-facing Gogs instances, leveraging improper symlink handling to gain initial access and local code execution. They escalated privileges by overwriting configuration files and injecting malicious SSH commands. From there, they potentially pivoted laterally within the cloud environment or to connected systems. The attackers deployed Supershell for persistent command and control, enabling sustained access via a reverse SSH tunnel. They exfiltrated secrets, credentials, and configuration data, sometimes leveraging webhook endpoints. Finally, the incident impacted cloud workloads by enabling further compromise or destruction, though the campaign primarily focused on smash-and-grab operations.
Kill Chain Progression
Initial Compromise
Description
Exploited CVE-2025-8110 in exposed Gogs servers, abusing unpatched file overwrite via symlink to gain code execution.
Related CVEs
CVE-2025-8110
CVSS 8.7Improper symbolic link handling in the PutContents API in Gogs allows local execution of code.
Affected Products:
Gogs Gogs – All versions prior to 0.13.1
Exploit Status:
exploited in the wildCVE-2024-55947
CVSS 8.7A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server.
Affected Products:
Gogs Gogs – All versions prior to 0.13.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Create Account
Ingress Tool Transfer
Modify Cloud Compute Infrastructure
Command and Scripting Interpreter: Windows Command Shell
Valid Accounts
Phishing: Spearphishing via Service
Unsecured Credentials
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address Identified Security Vulnerabilities
Control ID: 6.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Asset Vulnerability Management
Control ID: Asset Management 1.3
NIS2 Directive – Incident Prevention and Response Procedures
Control ID: Art. 21(2)(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Direct exposure to Gogs zero-day CVE-2025-8110 remote code execution attacks targeting Git repositories, requiring immediate segmentation and egress filtering controls.
Information Technology/IT
High risk from unpatched Gogs instances enabling lateral movement and data exfiltration through compromised development infrastructure and GitHub token exploitation.
Financial Services
Critical compliance violations under PCI DSS from potential source code compromise and unauthorized access to payment processing systems via Git services.
Health Care / Life Sciences
HIPAA breach risks from compromised development environments potentially exposing patient data through inadequate east-west traffic security and access controls.
Sources
- Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attackshttps://thehackernews.com/2025/12/unpatched-gogs-zero-day-exploited.htmlVerified
- Wiz Research: Gogs CVE-2025-8110 RCE Exploithttps://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploitVerified
- Gogs Security Advisory: GHSA-qf5v-rp47-55gghttps://github.com/gogs/gogs/security/advisories/GHSA-qf5v-rp47-55ggVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust controls—including segmentation, east-west policy enforcement, and egress restrictions—could have contained the initial exploit, limited lateral movement, blocked exfiltration channels, and supported rapid detection of anomalous activity in cloud workloads.
Control: Zero Trust Segmentation
Mitigation: Untrusted network paths would not allow direct access to Gogs instances.
Control: Multicloud Visibility & Control
Mitigation: Tampering attempts are surfaced through real-time telemetry and alerting on config changes.
Control: East-West Traffic Security
Mitigation: Unauthorized service-to-service and inter-region lateral movement is blocked.
Control: Cloud Firewall (ACF)
Mitigation: Outbound C2 channels and unauthorized reverse SSH traffic are blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Sensitive data exfiltration is prevented or immediately alerted.
Rapid detection and response to anomalous activity limits operational impact.
Impact at a Glance
Affected Business Functions
- Version Control Systems
- Software Development
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of source code repositories and associated sensitive data.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately restrict internet access to cloud management and API endpoints using zero trust segmentation.
- • Apply east-west microsegmentation between workloads and restrict lateral movement paths across cloud regions.
- • Implement strict egress filtering and cloud firewall policies to prevent outbound C2 and data exfiltration.
- • Deploy centralized visibility and anomaly detection to rapidly surface unauthorized privilege escalation or config tampering.
- • Continuously audit exposed instances, rotate credentials, and enforce policy-driven access governance to maintain security posture.
