Intro
Wiz Research uncovered an active zero day in Gogs after investigating a malware infection. CVE-2025-8110 allows authenticated users to bypass a previous patch and write files outside the repository via symbolic links. This results in full remote code execution and has already led to more than 700 compromised public facing Gogs servers.
π CVE Context
– Product: Gogs versions up to and including 0.13.3
– Disclosure timeline: July 17, 2025 reported to maintainers to December 10, 2025 still unpatched
– Attack vector: Authenticated user with repository creation permissions
– Impact: Remote Code Execution through symlink based file write bypass
CVSS Metric Breakdown (v4.0) - CVE-2025-8110 (Symlink Bypass Leading to RCE)
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality Impact (VC): High
Integrity Impact (VI): High
Availability Impact (VA): High
Scope Changed (SC): Yes
Safety Impact (SI): None
Automation (SA): High
Exploit Maturity: In the Wild
Base Score: 9.8 Critical
– Tools observed: Supershell C2 framework
– Malware hashes identified: multiple unique Go based garbled binaries
– Confirmed victims: Over 700 compromised servers displaying identical repository creation patterns
– Global exposure: Approximately 1,400 public facing Gogs instances
π― EPSS Scoring
The Exploit Prediction Scoring System lists CVE-2025-8110 with the following values as of December 2025:
– EPSS Probability: 0.00079
– EPSS Percentile: 0.23974
Although the EPSS probability is low, real world exploitation is confirmed and widespread. This creates a significant detection gap where predictive scoring does not match active threat activity.
π¬ Exploitation Detail
– Attacker creates a repository
– Commits a symbolic link pointing to a file outside the repo
– Uses the PutContents API to write data to the symlink
– Gogs follows the link and overwrites the external file
– Remote Code Execution achieved by overwriting .git/config or SSH command entries
PUT /api/v1/repos/user/repo/contents/symlink_to_/etc/profile
Authorization: token {token}
{
"content": "base64_payload_here",
"message": "overwrite"
}
π Attacker Behavior Snapshot
– Attackers send crafted PUT requests to the API contents endpoint
– Gogs writes data through symbolic links
– System overwrites targeted files such as .git/config
– Supershell malware downloaded and executed, granting remote SSH shell access
𧩠Why This Matters
This vulnerability shows how inadequate patching strategies create long lasting exposure. Symbolic links have repeatedly been a weak point in Gogs security design, and this bypass completely negates previous fixes. Active exploitation demonstrates the ease and scale of compromise.
Exploitation results in:
- Full remote command execution on affected servers
- Stealthy persistence through modified configuration files
- Potential lateral movement across internal networks
𧩠MITRE ATT&CK Mapping
Initial Access: T1190 Exploit Public Facing Application
Execution: T1059.003 Command Shell
Persistence: T1505.003 Server Software Component
π§ͺ Detection Rules
YARA Rule (Memory/Doc/PCAP)
rule Supershell_Payload {
meta:
description = "Detects Supershell based C2 binaries"
strings:
$s1 = "Supershell" ascii nocase
$s2 = "sshCommand"
$x1 = { 89 50 4e 47 ?? ?? ?? ?? 49 48 44 52 }
condition:
any of ($s*) or $x1
}
Suricata or Zeek (Network)
alert http any any -> any any (msg:"Gogs RCE Exploit PutContents API"; http.method; content:"PUT"; http.uri; content:"/api/v1/repos/"; content:"contents"; nocase; sid:20258110; rev:1;)
Sigma Rule (SIEM/EDR)
title: Gogs PutContents Symlink Abuse
logsource:
category: webserver
product: gogs
detection:
selection:
Method: "PUT"
URI|contains: "/api/v1/repos/"
URI|contains: "contents"
condition: selection
level: high
π Detection Strategies
β Network Detection:
- Monitor for PUT requests to contents endpoints
- Look for sudden creation of repositories containing 8 character random names
- Investigate unusual API access from new or foreign IP addresses
β Endpoint Detection:
- Track changes to .git/config
- Detect newly dropped Go binaries with UPX packing or garble obfuscation
- Identify SSH shell activity spawned from Gogs processes
β‘ Splunk Query
index=gogs sourcetype=gogs_api
"PUT" "/api/v1/repos/" "contents"
| stats count by src_ip, uri_path, user_agent
π οΈ SOC Detection Strategy
– Prioritize alerts involving repository creation and API writes
– Correlate file modifications with new user registrations
– Trigger high severity alerts for attempts to modify .git/config
– Use endpoint event sequences to identify Supershell activity
π οΈ Tools & Techniques
Tool | Usage
Sysmon | Track file modification and process ancestry
Velociraptor | Search for Supershell payload components
Zeek | Flag suspicious API traffic
Sigma and YARA | Deploy rule based detection across hosts
π‘οΈ Mitigation & Response
– No vendor patch available as of December 10, 2025
– Disable open registration immediately
– Restrict external access via VPN or allow list
– Audit repositories created after July for malicious symlink commits
– Rotate credentials and inspect SSH logs
– Implement WAF filters to block malicious API calls
π Incident Response Snippets
– grep logs for API PUT calls to contents
– Identify connections to known C2 servers such as 119.45.176[.]196
– Check for payload servers 106.53.108[.]81 and 119.91.42[.]53
– Validate integrity of config files and system binaries
– Key IR questions:
– Was open registration active
– How many users created new repos recently
– Did any internal systems initiate outbound SSH tunnels
π Suggested Reading & External References
– Wiz Research write up on CVE-2025-8110
– CVE-2024-55947 advisory background
– Supershell framework documentation
– Shodan research on exposed Gogs servers
πΎοΈ Final Thoughts
CVE-2025-8110 turns symbolic link handling into a full RCE vector by bypassing previous validation steps. Immediate hardening measures are necessary due to active exploitation.
Published: December 11, 2025
Ramblings of a CyberSecurity Nerd 
Leave a comment