Zero-Day Dominoes: How a Gogs Flaw Opened the Gates to 700 Server Breaches

When a single overlooked detail can bring down hundreds of servers, the stakes of software security become painfully clear. This summer, a crafty cybercriminal campaign swept through the developer world, exploiting an unpatched zero-day in Gogs - a widely used self-hosted Git platform. The result? Over 700 servers breached, sensitive data at risk, and a stark warning for anyone running exposed infrastructure.

The Anatomy of a Breach

Gogs has gained traction as a lightweight, Go-based alternative to GitHub Enterprise or GitLab, particularly for organizations seeking control over their source code. However, this popularity comes with a downside: exposed instances often become prime targets for cybercriminals.

This particular breach unfolded when threat actors discovered a path traversal vulnerability in the PutContents API. Although Gogs had previously patched a similar bug (CVE-2024-55947), the new flaw (CVE-2025-8110) slipped through: the software validated file paths but failed to check where symbolic links pointed. By cleverly crafting repositories containing symlinks to sensitive system files, attackers could overwrite critical configurations - most notably, Git’s sshCommand - allowing them to execute arbitrary commands on the server.

The initial clue emerged in July, when Wiz Research investigated a malware infection on a client’s Gogs server. Their scan uncovered over 1,400 Gogs servers exposed to the internet, with more than half already compromised. Each attack followed the same pattern: random eight-character repository names, all created within a tight timeframe, pointing to a methodical and likely automated campaign.

The attackers didn’t just sneak in - they stayed. Using Supershell, an open-source command-and-control framework, they established persistent reverse SSH shells, maintaining access and control. Communication with a central C2 server allowed them to orchestrate further malicious activity across compromised systems.

Mitigation and Lessons Learned

Despite the vulnerability being reported to Gogs maintainers in mid-July, a fix was still in progress months later, with a second wave of attacks detected in November. In the meantime, experts urge Gogs users to disable open registration, restrict server access via VPN or allow lists, and check logs for suspicious API usage and oddly named repositories.

Conclusion

This Gogs breach is a sobering reminder that even small oversights in access control or code validation can have outsized consequences. As attackers grow more adept at automating their campaigns and exploiting overlooked flaws, the onus is on organizations to proactively secure their infrastructure and stay vigilant for the next zero-day lurking in plain sight.