Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited
A zero-day Remote Code Execution (RCE) vulnerability (CVE-2025-8110) in Gogs, a self-hosted Git service, is actively exploited. The vulnerability arises from a symlink bypass that allows authenticated users to overwrite files outside their repository, leading to system compromise. It affects Gogs versions up to 0. 13. 3 with open registration enabled and internet exposure. Attackers exploit this by creating repositories with symbolic links and using the PutContents API to overwrite sensitive files, deploying malware such as the Supershell framework to establish reverse SSH shells. Over 700 instances have been compromised globally, with European organizations using publicly accessible Gogs instances at particular risk. Mitigation involves disabling open registration, restricting internet exposure, and monitoring repository activity for suspicious behavior. Although rated medium severity, the ease of exploitation combined with the potential for full system compromise elevates the threat level. Defenders should prioritize immediate remediation and monitoring to prevent further breaches.
AI Analysis
Technical Summary
The CVE-2025-8110 zero-day vulnerability in Gogs, a popular self-hosted Git service, enables remote code execution through a symlink bypass flaw. This vulnerability specifically affects Gogs versions up to 0.13.3 when open user registration is enabled and the service is exposed to the internet. The attack vector involves authenticated users creating repositories containing symbolic links that point outside the repository directory. By leveraging the PutContents API, attackers can overwrite arbitrary files on the host system beyond the repository scope. This file overwrite capability allows attackers to place malicious payloads or modify critical system files, ultimately leading to remote code execution and full system compromise. The active exploitation campaign has resulted in over 700 compromised instances worldwide, with attackers deploying malware based on the Supershell framework to establish persistent reverse SSH shells, enabling ongoing control and lateral movement. The vulnerability is particularly dangerous because it requires only authenticated access, which can be obtained via open registration, and does not require complex user interaction beyond repository creation. The threat actor group identified as China-Nexus is linked to this exploitation, indicating a potential state-sponsored campaign targeting critical infrastructure and organizations. Mitigation strategies focus on disabling open registration to prevent unauthorized account creation, restricting Gogs instances from internet exposure through network segmentation or firewall rules, and implementing monitoring for unusual repository activity such as creation of symbolic links or unexpected file overwrites. Despite the medium severity rating, the combination of ease of exploitation, broad impact, and active exploitation justifies urgent attention from administrators of Gogs instances.
Potential Impact
For European organizations, the impact of this vulnerability can be severe. Organizations using Gogs with open registration and internet exposure risk full system compromise, leading to potential data breaches, intellectual property theft, and disruption of development workflows. The deployment of Supershell-based malware enables attackers to maintain persistent access, conduct lateral movement, and potentially escalate privileges within the network. This can result in loss of confidentiality, integrity, and availability of critical systems. Given that Gogs is often used in software development environments, exploitation could also compromise source code repositories, impacting software supply chain security. The breach of development infrastructure can have cascading effects on product security and operational continuity. Additionally, the involvement of a state-linked adversary group suggests targeting of strategic sectors, increasing the risk for organizations in critical infrastructure, government, and technology sectors across Europe. The active exploitation and the number of compromised instances highlight the urgency for European organizations to assess their exposure and implement mitigations promptly.
Mitigation Recommendations
1. Immediately disable open user registration on all Gogs instances to prevent unauthorized account creation. 2. Restrict internet exposure of Gogs servers by placing them behind firewalls, VPNs, or internal networks accessible only to trusted users. 3. Monitor repository creation and updates for suspicious activity, specifically the creation of symbolic links or unusual file overwrite attempts. 4. Implement strict access controls and authentication mechanisms, including multi-factor authentication, to reduce risk of unauthorized access. 5. Regularly audit and review Gogs server logs for signs of exploitation or abnormal behavior. 6. If possible, upgrade to a patched version of Gogs once available or apply vendor-provided mitigations. 7. Employ endpoint detection and response (EDR) tools to detect and respond to malware such as Supershell. 8. Conduct network segmentation to limit lateral movement in case of compromise. 9. Educate development teams about the risks of open registration and encourage secure configuration practices. 10. Prepare incident response plans specifically addressing potential compromise of development infrastructure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
Indicators of Compromise
- ip: 185.165.169.31
- ip: 43.247.135.53
- ip: 46.29.161.198
- domain: trycloudflare.com
- ip: 107.175.77.118
- ip: 149.62.46.132
- ip: 153.92.4.236
- ip: 192.243.115.175
- ip: 23.227.196.204
- ip: 52.172.31.130
- cve: CVE-2023-46747
- cve: CVE-2023-46805
- cve: CVE-2024-1709
- cve: CVE-2024-21887
- cve: CVE-2024-36401
- cve: CVE-2024-8963
- cve: CVE-2024-9379
- cve: CVE-2024-9380
- cve: CVE-2024-9381
- cve: CVE-2025-31324
- hash: 708450f590eaf23e869080d09ed14e01
- hash: bceccfa046cdbbf20e05541bdbc05439
- hash: f3ce5cf045783c8c25aeff93e472cda1
- hash: f8a7ce4a8e2637565b18d6bb29b2bc6f
- hash: 1657d9a2927e99f170732f6dd1b2a9a93944f3f4
- hash: 714a3e45bf364bfb2ae6914663bef48d18412d1b
- hash: 88becd1d342cd701852218d633c7fc0d7a952547
- hash: bfee2fb825a0a813a1243ae59bb0f4c9f3545008
- hash: 00920e109f16fe61092e70fca68a5219ade6d42b427e895202f628b467a3d22e
- hash: 0c2c8280701706e0772cb9be83502096e94ad4d9c21d576db0bc627e1e84b579
- hash: 2dcbb4138f836bb5d7bc7d8101d3004848c541df6af997246d4b2a252f29d51a
- hash: 3f14dc65cc9e35989857dc1ec4bb1179ab05457f2238e917b698edb4c57ae7ce
- hash: 47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04
- hash: 4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d
- hash: 5e24b41a0bd076ec2b4e49e66daac94396c6180d00a45bcd7f4342a385fa1eed
- hash: 5f3d1f17033d85b85f3bd5ae55cb720e53b31f1679d52986c8d635fd1ce0c08a
- hash: 63aa0c6890ec5c16b872fb6d070556447cd707dfba185d32a2c10c008dbdbcdd
- hash: 888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef
- hash: 91f66ba1ad49d3062afdcc80e54da0807207d80a1b539edcdbd6e1bf99e7a2ca
- hash: b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8
- hash: b9533ce8e428f16f3d0e1946f19a6f756ff11a532d0b7e61ae402837f46c678e
- hash: c71da1dfea145798f881afd73b597336d87f18f8fd8f9a7f524c6749a5c664e4
- hash: f92d0cf4d577c68aa615797d1704f40b14810d98b48834b241dd5c9963e113ec
- ip: 103.30.76.206
- ip: 107.174.81.24
- ip: 130.185.118.247
- ip: 138.197.40.133
- ip: 138.68.61.82
- ip: 141.164.35.53
- ip: 142.202.4.28
- ip: 15.204.56.106
- ip: 154.37.221.237
- ip: 156.238.224.227
- ip: 159.65.34.242
- ip: 162.248.53.119
- ip: 184.174.96.39
- ip: 185.143.222.215
- ip: 196.251.85.31
- ip: 206.237.1.201
- ip: 208.76.55.39
- ip: 212.11.64.225
- ip: 212.192.15.213
- ip: 215.204.56.106
- ip: 23.95.123.5
- ip: 27.25.148.183
- ip: 45.155.222.14
- ip: 45.61.137.162
- ip: 45.77.119.13
- ip: 52.185.157.28
- ip: 62.234.24.38
- ip: 64.95.11.95
- ip: 65.20.81.172
- ip: 65.49.235.210
- ip: 96.9.124.89
- url: http://103.30.76.206:443/slt
- url: http://43.247.135.53/10443
- url: http://43.247.135.53:10443
- domain: sentinelones.com
- domain: aaa.ki6zmfw3ps8q14rfbfczfq5qkhq8e12q.oastify.com
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited
Description
A zero-day Remote Code Execution (RCE) vulnerability (CVE-2025-8110) in Gogs, a self-hosted Git service, is actively exploited. The vulnerability arises from a symlink bypass that allows authenticated users to overwrite files outside their repository, leading to system compromise. It affects Gogs versions up to 0. 13. 3 with open registration enabled and internet exposure. Attackers exploit this by creating repositories with symbolic links and using the PutContents API to overwrite sensitive files, deploying malware such as the Supershell framework to establish reverse SSH shells. Over 700 instances have been compromised globally, with European organizations using publicly accessible Gogs instances at particular risk. Mitigation involves disabling open registration, restricting internet exposure, and monitoring repository activity for suspicious behavior. Although rated medium severity, the ease of exploitation combined with the potential for full system compromise elevates the threat level. Defenders should prioritize immediate remediation and monitoring to prevent further breaches.
AI-Powered Analysis
Technical Analysis
The CVE-2025-8110 zero-day vulnerability in Gogs, a popular self-hosted Git service, enables remote code execution through a symlink bypass flaw. This vulnerability specifically affects Gogs versions up to 0.13.3 when open user registration is enabled and the service is exposed to the internet. The attack vector involves authenticated users creating repositories containing symbolic links that point outside the repository directory. By leveraging the PutContents API, attackers can overwrite arbitrary files on the host system beyond the repository scope. This file overwrite capability allows attackers to place malicious payloads or modify critical system files, ultimately leading to remote code execution and full system compromise. The active exploitation campaign has resulted in over 700 compromised instances worldwide, with attackers deploying malware based on the Supershell framework to establish persistent reverse SSH shells, enabling ongoing control and lateral movement. The vulnerability is particularly dangerous because it requires only authenticated access, which can be obtained via open registration, and does not require complex user interaction beyond repository creation. The threat actor group identified as China-Nexus is linked to this exploitation, indicating a potential state-sponsored campaign targeting critical infrastructure and organizations. Mitigation strategies focus on disabling open registration to prevent unauthorized account creation, restricting Gogs instances from internet exposure through network segmentation or firewall rules, and implementing monitoring for unusual repository activity such as creation of symbolic links or unexpected file overwrites. Despite the medium severity rating, the combination of ease of exploitation, broad impact, and active exploitation justifies urgent attention from administrators of Gogs instances.
Potential Impact
For European organizations, the impact of this vulnerability can be severe. Organizations using Gogs with open registration and internet exposure risk full system compromise, leading to potential data breaches, intellectual property theft, and disruption of development workflows. The deployment of Supershell-based malware enables attackers to maintain persistent access, conduct lateral movement, and potentially escalate privileges within the network. This can result in loss of confidentiality, integrity, and availability of critical systems. Given that Gogs is often used in software development environments, exploitation could also compromise source code repositories, impacting software supply chain security. The breach of development infrastructure can have cascading effects on product security and operational continuity. Additionally, the involvement of a state-linked adversary group suggests targeting of strategic sectors, increasing the risk for organizations in critical infrastructure, government, and technology sectors across Europe. The active exploitation and the number of compromised instances highlight the urgency for European organizations to assess their exposure and implement mitigations promptly.
Mitigation Recommendations
1. Immediately disable open user registration on all Gogs instances to prevent unauthorized account creation. 2. Restrict internet exposure of Gogs servers by placing them behind firewalls, VPNs, or internal networks accessible only to trusted users. 3. Monitor repository creation and updates for suspicious activity, specifically the creation of symbolic links or unusual file overwrite attempts. 4. Implement strict access controls and authentication mechanisms, including multi-factor authentication, to reduce risk of unauthorized access. 5. Regularly audit and review Gogs server logs for signs of exploitation or abnormal behavior. 6. If possible, upgrade to a patched version of Gogs once available or apply vendor-provided mitigations. 7. Employ endpoint detection and response (EDR) tools to detect and respond to malware such as Supershell. 8. Conduct network segmentation to limit lateral movement in case of compromise. 9. Educate development teams about the risks of open registration and encourage secure configuration practices. 10. Prepare incident response plans specifically addressing potential compromise of development infrastructure.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures"]
- Adversary
- China-Nexus
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip185.165.169.31 | CC=RO ASN=AS200651 flokinet ltd | |
ip43.247.135.53 | CC=HK ASN=ASNone | |
ip46.29.161.198 | CC=RU ASN=AS51659 llc baxet | |
ip107.175.77.118 | CC=US ASN=AS36352 colocrossing | |
ip149.62.46.132 | CC=US ASN=AS8888 llc it-service | |
ip153.92.4.236 | CC=SG ASN=AS47583 hostinger international limited | |
ip192.243.115.175 | CC=US ASN=AS25820 it7 networks inc | |
ip23.227.196.204 | CC=US ASN=AS29802 hivelocity inc. | |
ip52.172.31.130 | CC=IN ASN=AS8075 microsoft corporation | |
ip103.30.76.206 | CC=HK ASN=AS58985 sunday network (hong kong) ltd | |
ip107.174.81.24 | CC=US ASN=AS36352 colocrossing | |
ip130.185.118.247 | CC=DE ASN=AS51167 contabo gmbh | |
ip138.197.40.133 | CC=US ASN=AS14061 digitalocean llc | |
ip138.68.61.82 | CC=US ASN=AS14061 digitalocean llc | |
ip141.164.35.53 | CC=KR ASN=AS20473 the constant company llc | |
ip142.202.4.28 | CC=US ASN=AS62838 reprise hosting | |
ip15.204.56.106 | CC=US ASN=AS16276 ovh sas | |
ip154.37.221.237 | CC=US ASN=AS63339 vlayer inc. | |
ip156.238.224.227 | CC=US ASN=AS35916 multacom corporation | |
ip159.65.34.242 | CC=US ASN=AS14061 digitalocean llc | |
ip162.248.53.119 | CC=US ASN=AS27640 gigas hosting usa llc | |
ip184.174.96.39 | CC=US ASN=AS21769 colocation america corporation | |
ip185.143.222.215 | CC=US ASN=AS49392 llc baxet | |
ip196.251.85.31 | CC=NG ASN=ASNone | |
ip206.237.1.201 | CC=US ASN=AS139640 hk new cloud technology limited | |
ip208.76.55.39 | CC=US ASN=AS47869 ellada projects b.v. trading as netrouting | |
ip212.11.64.225 | CC=CH ASN=AS30823 combahton gmbh | |
ip212.192.15.213 | CC=RU ASN=AS49392 llc baxet | |
ip215.204.56.106 | CC=US ASN=AS749 dod network information center | |
ip23.95.123.5 | CC=US ASN=AS36352 colocrossing | |
ip27.25.148.183 | CC=CN ASN=AS4134 chinanet | |
ip45.155.222.14 | CC=GB ASN=AS8796 kurun cloud inc | |
ip45.61.137.162 | CC=NL ASN=AS399629 bl networks | |
ip45.77.119.13 | CC=US ASN=AS20473 the constant company llc | |
ip52.185.157.28 | CC=JP ASN=AS8075 microsoft corporation | |
ip62.234.24.38 | CC=CN ASN=AS45090 shenzhen tencent computer systems company limited | |
ip64.95.11.95 | CC=US ASN=ASNone | |
ip65.20.81.172 | CC=CA ASN=AS20473 the constant company llc | |
ip65.49.235.210 | CC=US ASN=AS25820 it7 networks inc | |
ip96.9.124.89 | CC=CA ASN=AS30295 smartt inc. |
Domain
| Value | Description | Copy |
|---|---|---|
domaintrycloudflare.com | — | |
domainsentinelones.com | — | |
domainaaa.ki6zmfw3ps8q14rfbfczfq5qkhq8e12q.oastify.com | — |
Cve
| Value | Description | Copy |
|---|---|---|
cveCVE-2023-46747 | — | |
cveCVE-2023-46805 | — | |
cveCVE-2024-1709 | — | |
cveCVE-2024-21887 | — | |
cveCVE-2024-36401 | — | |
cveCVE-2024-8963 | — | |
cveCVE-2024-9379 | — | |
cveCVE-2024-9380 | — | |
cveCVE-2024-9381 | — | |
cveCVE-2025-31324 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash708450f590eaf23e869080d09ed14e01 | MD5 of 3f14dc65cc9e35989857dc1ec4bb1179ab05457f2238e917b698edb4c57ae7ce | |
hashbceccfa046cdbbf20e05541bdbc05439 | MD5 of b9533ce8e428f16f3d0e1946f19a6f756ff11a532d0b7e61ae402837f46c678e | |
hashf3ce5cf045783c8c25aeff93e472cda1 | MD5 of 47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04 | |
hashf8a7ce4a8e2637565b18d6bb29b2bc6f | MD5 of 888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef | |
hash1657d9a2927e99f170732f6dd1b2a9a93944f3f4 | SHA1 of b9533ce8e428f16f3d0e1946f19a6f756ff11a532d0b7e61ae402837f46c678e | |
hash714a3e45bf364bfb2ae6914663bef48d18412d1b | SHA1 of 47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04 | |
hash88becd1d342cd701852218d633c7fc0d7a952547 | SHA1 of 3f14dc65cc9e35989857dc1ec4bb1179ab05457f2238e917b698edb4c57ae7ce | |
hashbfee2fb825a0a813a1243ae59bb0f4c9f3545008 | SHA1 of 888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef | |
hash00920e109f16fe61092e70fca68a5219ade6d42b427e895202f628b467a3d22e | — | |
hash0c2c8280701706e0772cb9be83502096e94ad4d9c21d576db0bc627e1e84b579 | — | |
hash2dcbb4138f836bb5d7bc7d8101d3004848c541df6af997246d4b2a252f29d51a | — | |
hash3f14dc65cc9e35989857dc1ec4bb1179ab05457f2238e917b698edb4c57ae7ce | — | |
hash47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04 | — | |
hash4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d | — | |
hash5e24b41a0bd076ec2b4e49e66daac94396c6180d00a45bcd7f4342a385fa1eed | — | |
hash5f3d1f17033d85b85f3bd5ae55cb720e53b31f1679d52986c8d635fd1ce0c08a | — | |
hash63aa0c6890ec5c16b872fb6d070556447cd707dfba185d32a2c10c008dbdbcdd | — | |
hash888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef | — | |
hash91f66ba1ad49d3062afdcc80e54da0807207d80a1b539edcdbd6e1bf99e7a2ca | — | |
hashb8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8 | — | |
hashb9533ce8e428f16f3d0e1946f19a6f756ff11a532d0b7e61ae402837f46c678e | — | |
hashc71da1dfea145798f881afd73b597336d87f18f8fd8f9a7f524c6749a5c664e4 | — | |
hashf92d0cf4d577c68aa615797d1704f40b14810d98b48834b241dd5c9963e113ec | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://103.30.76.206:443/slt | — | |
urlhttp://43.247.135.53/10443 | — | |
urlhttp://43.247.135.53:10443 | — |
Threat ID: 682c992c7960f6956616ab5e
Added to database: 5/20/2025, 3:01:00 PM
Last enriched: 12/27/2025, 10:38:33 AM
Last updated: 1/7/2026, 6:12:01 AM
Views: 389
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers
CriticalThreatFox IOCs for 2026-01-06
MediumFake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat
MediumNew n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands
CriticalThreatFox IOCs for 2026-01-05
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.