top of page
Search

Unpatched GitLab Zero-Day Exploited Across 1,000+ Instances Amid Active Attacks

  • Dec 11, 2025
  • 2 min read

Key Findings:


  • A high-severity unpatched security vulnerability in Gogs (CVE-2025-8110) with a CVSS score of 8.7 is under active exploitation, affecting over 700 compromised instances accessible online.

  • The vulnerability allows for file overwrite in the file update API, enabling an attacker to achieve arbitrary code execution through a four-step process.

  • The malware deployed in the attacks is a payload based on Supershell, an open-source command-and-control (C2) framework often used by Chinese hacking groups.

  • Threat actors are also targeting leaked GitHub Personal Access Tokens (PAT) as high-value entry points to obtain initial access to victim cloud environments.


Background


Gogs is a self-hosted Git service written in the Go programming language. The vulnerability, CVE-2025-8110, was discovered by Wiz while investigating a customer's malware infection in July 2025. The flaw allows an attacker to write a file to an arbitrary path on the server and gain SSH access.


Exploitation of CVE-2025-8110


The vulnerability is a bypass for a previously patched remote code execution flaw (CVE-2024-55947) that was addressed by Gogs in December 2024. However, the fix failed to account for symbolic links in Git repositories, allowing an attacker to exploit the PutContents API to overwrite sensitive files outside the repository, including the ".git/config" file to execute arbitrary commands.


Malware Deployment and Indicators of Compromise


The malware deployed in the attacks is a payload based on Supershell, a commonly used C2 framework by Chinese hacking groups. The researchers noted that the attackers left behind the created repositories on the customer's cloud workload, indicating a "smash-and-grab" style campaign.


Targeting of GitHub Personal Access Tokens


Alongside the Gogs vulnerability, threat actors are also targeting leaked GitHub Personal Access Tokens (PAT) as a means to obtain initial access to victim cloud environments. Attackers can use the PAT's read permissions to discover secret names embedded in GitHub Action workflows and, if the PAT has write permissions, execute malicious code and remove traces of their activity.


Mitigations and Recommendations


Given the lack of a fix for CVE-2025-8110, it is essential for Gogs users to disable open-registration, limit exposure to the internet, and scan instances for repositories with random 8-character names. For organizations using CentreStack and Triofox, it is advised to update to the latest version and rotate the machine key if indicators of compromise are detected.


Sources


  • https://thehackernews.com/2025/12/unpatched-gogs-zero-day-exploited.html

  • https://thehackernews.com/2025/12/hard-coded-gladinet-keys-let-attackers.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page