Cybercrime , Fraud Management & Cybercrime

Zero Day: 700 Instances of Self-Hosted Git Service Exploited

An attacker has been exploiting a zero-day flaw in a popular, self-hosted Git service as part of apparently financially driven attacks, warned researchers.

See Also: Why Cyberattackers Love 'Living Off the Land'

The vulnerability, which remains unpatched, is present in the latest version of Gogs, a self-hosted Git service written in Go, and was discovered by researchers at cybersecurity firm Wiz. Many organizations use Gogs to self-host Git repositories on-premises or in the cloud - rather than with a service such as GitHub - and expose it to the internet to support use by distributed teams.

The Wiz researchers said that of 1,500 internet-facing instances of Gogs cataloged by Shodan search engine, at least 700 show signs of having been exploited using a zero-day vulnerability now tracked as CVE-2025-8110. The flaw exists in the latest version of Gogs, released on June 9.

Information about the new vulnerability and Gogs being the target went live "five seconds before this presentation began," said the two Wiz researchers who presented their findings Wednesday in a briefing at the Black Hat Europe conference in London.

Exploiting the flaw gives attackers the ability to take full control of a server, potentially steal all Git code repositories, as well as press the server into service as a crypto miner, the researchers said.

They discovered the flaw after investigating a Yara rule that tripped on a customer's server on July 15, revealing a malware infection. But Gili Tikochinski, a malware researcher at Wiz, said he couldn't immediately identify any apparent, commonly used attack vector, problem with the system or exploitation of a known vulnerability that might have preceded the malware infection.

Tikochinski contacted a colleague, Yaara Shriki, who specializes in cloud environments. Further investigation revealed an exposed web API that they traced back to Gogs, which they'd never heard of before. Reviewing the hacked server, they "saw an interesting file - a symlink to .git/config," which stoked their interest because "symlink usually means bad things are happening," reads a report they released Wednesday.

They next investigated a handful of the 1,500 internet-exposed Gogs servers and found some sported an unusual pattern that matched the infection on their customer's server. Each contained an unusual Git repository owner and repo name, both eight alphanumeric characters long and apparently created automatically using randomized characters - and all generated in a short timeframe.

"So of course we wrote a short Python script that looks for this precise pattern," Shriki said. "We ran this and found over 700 servers that were infected by the same attacker, because we saw the same pattern repeat." The earliest compromised server they found dated from July 10.

In the Black Hat Europe briefing, Shriki said that one of the big takeaways from their investigation is that "any pattern that seems to be unique enough can be used as a behavioral indicator of compromise."

The researchers found every infected server had malware that pointed to the same command-and-control and that the same SSH commands were used to execute commands, and also that all of the malware then dropped by the attacker had the same file hash.

In every case, after gaining access to a server, the attacker deployed a version of SuperShell, an open-source, Python-based command-and-control framework designed to install a reverse SSH shell on an infected system.

While the researchers have no idea what else the attacker might have done to the 700 other infected servers - they only closely analyzed the one for their customer - based on the attacker's behavior, they suspected they were looking at a very opportunistically driven, financially motivated attacker, perhaps as a prelude to unleashing ransomware or engaging in cryptomining.

"It's probably not a nation-state actor since they're not trying to hide themselves," Shriki said. "They are very aggressive, they're not trying to be stealthy, they're not trying to hide their traces. They could have deleted the repositories after they created them, but they didn't," she said.

After further investigation, the researchers found that the attack bypassed two previous mitigations: a path traversal flaw in the PutContents API tracked as CVE-2024-55947, and CVE-2024-54148, which allowed editing of a symbolic link, which an attacker could use to edit the actual file the symlink pointed to.

"The PutContents API was fixed for path traversal, but it was never fixed to block editing symlinks," Shriki said, thus resulting in their new CVE.

The researchers sent a vulnerability report to the Gog maintainers on July 17 and said they received an acknowledgement on Oct. 30.

The main developer of the open-source project, Jiahua Chen, aka Unknwon, didn't immediately respond to a request for comment about when a patch or security alert might be issued to users. "They are currently working on a fix, but active exploitation continues in the wild," the researchers said in their report.

They recommend updating as soon as a new version of the software becomes available, stating that a second wave of attacks targeting the vulnerability began on Nov. 1.

Beyond updating, they also recommend two other mitigations: disable "open-registration" in Gogs, which is enabled by default, and limit external access to any self-hosted Git servers to make it more difficult for a remote attacker to gain access.

One major takeaway from the incident, the researchers said, is the need to find root causes of security anomalies. "We believe it's a very important lesson to learn: that in most of these cases, you don't just fix and forget. You really have to know why something bad happened, what is the root cause and what would have prevented it, and not just patch and move on," Tikochinski said.