Threat actors exploited an unpatched Gogs zero-day, tracked as CVE-2025-8110, to achieve remote code execution and compromise about 700 Internet-exposed servers.

Wiz researchers uncovered the flaw during an investigation into a malware infection on a customer workload.

The vulnerability is a path-traversal issue within the PutContents API, which permits attackers to circumvent mitigations put in place for a previous remote code execution bug (CVE-2024-55947) by misusing symbolic links. While newer versions of Gogs check the validity of path names, they fail to validate the destinations of symlinks.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

Consequently, threat actors can create repositories that contain symbolic links pointing to sensitive system files and then utilize the PutContents function to overwrite files situated outside the repository’s directory.

The researchers identified over 700 compromised Gogs instances that were publicly accessible on the internet. In their external scan, they found more than 1,400 Gogs servers publicly exposed, many of which had “Open Registration” enabled by default, presenting a significant attack surface for the flaw they detailed.

Source: Critical Gogs Zero Day Vulnerability Under Attack Hacking 700 Servers