THE CORTEX PROTOCOL
🏠Home🚨Threats🧠Insights📚Books
🚨 CRITICALintel

CVE-2025-8110 - Gogs 0-Day Hits 700+ Self-Hosted Git Servers

Category:Vulnerabilities & Exploits
Critical RCE in Gogs self-hosted Git platform (all versions before 0.14.0) actively exploited via argument injection in repository migration API. Attackers exploit CVE-2025-8110 (bypasses previous fix CVE-2024-55947) to execute commands without authentication, then deploy Supershell backdoor with DNS tunneling and anti-forensics. Over 700 of 1,400 internet-facing instances confirmed compromised. Wiz discovered zero-day accidentally in July during malware investigation. Attack uses symbolic link abuse—attackers create repo with symlink, use PutContents API to overwrite .git/config, force system to execute arbitrary commands. All compromised instances show 8-character random repo names created July 10. Supershell C2 suggests Asia-based threat actors. No fix available yet—Gogs maintainers working on patch.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: Zero-day with no patch available affects 50% of exposed Gogs instances. Git hosting compromise enables source code theft, repository poisoning, and supply chain attacks. Every compromised instance is potential exfiltration point for intellectual property and credentials. Technical Context: CVE-2025-8110 bypasses CVE-2024-55947 fix through symbolic link abuse in repository migration API (T1190, T1059). Attackers create repo with symlink, use PutContents API to overwrite .git/config sshCommand parameter, achieve RCE. Supershell C2 framework indicates Chinese state-nexus actors—previously used in F5 exploits targeting US defense and UK government. Automated exploitation deploying across 700+ instances since July 10.

Strategic Intelligence Guidance

  • Disable open registration on all Gogs instances, restrict access to trusted networks or VPN, and consider placing Git services behind authenticated reverse proxies while awaiting vendor patches.
  • Hunt for indicators of compromise including unexpected repositories with random names, modifications to .git/config, and Supershell-related binaries or traffic patterns.
  • Conduct a security review of CI/CD systems integrated with Gogs, rotating credentials and SSH keys, and revalidating the integrity of critical build pipelines and release artifacts.
  • Evaluate longer-term migration paths from unmaintained or lightly maintained self-hosted Git platforms to more actively secured alternatives, incorporating supply chain risks into architecture decisions.

CVEs

CVE-2025-8110CVE-2024-55947

Vendors

Gogs

Threats

Supershell

Targets

Self-hosted Git serversSoftware development teamsCI/CD infrastructure

Tags

#cve-2025-8110#gogs#git-security#remote-code-execution#zero-day#supershell#supply-chain-security
Intelligence Source: CVE-2025-8110 - Gogs 0-Day Hits 700+ Self-Hosted Git Servers | Dec 11, 2025
More stories in Critical Vulnerabilities