700+ Gogs Servers Exploited in 0-Day Attack

Security researchers warn of ongoing exploitation of critical vulnerability in self-hosted Git service

Apr. 12, 2026 at 10:44pm

Got story updates? Submit your updates here. ›

A highly detailed, 3D macro illustration of a Gogs server infrastructure, with various hardware components like servers, cables, and storage devices illuminated by vibrant neon cyan and magenta lights, conceptually representing the vulnerability and compromise of this self-hosted Git service.As self-hosted software vulnerabilities continue to emerge, this glowing visualization of a compromised Gogs server infrastructure underscores the critical need for vigilance and prompt patching to protect sensitive data and systems.Rohnert Park Today

A major zero-day vulnerability is actively being exploited against Gogs, a widely used self-hosted Git service, with no fix available yet. Security researchers from Wiz report that over 700 Gogs installations have been compromised in ongoing campaigns, describing the zero-day as an 'accidental' discovery made in July while examining malware on an infected machine.

Why it matters

The Gogs vulnerability allows attackers to gain remote code execution on exposed servers, potentially giving them control over sensitive data and systems. This incident highlights the risks of running self-hosted software without proper security measures and the need for prompt patching of critical vulnerabilities.

The details

Wiz researchers Gili Tikochinski and Yaara Shriki explained that the threat actor leveraged an as-yet-unknown flaw to gain access to exposed Gogs instances. The vulnerability, tracked as CVE-2025-8110, effectively bypasses a previously patched issue (CVE-2024-55947) that allowed authenticated users to overwrite files outside the repository. The new flaw enables remote code execution through a four-step process involving symbolic links and the Gogs API.

  • In July, Wiz researchers discovered the vulnerability while examining malware on an infected machine.
  • On July 10, the researchers observed the creation of new Gogs repositories with random eight-character names, indicating ongoing exploitation.

The players

Wiz

A cybersecurity research firm that discovered and reported the Gogs vulnerability.

Gili Tikochinski

A security researcher at Wiz who co-authored the blog post on the Gogs vulnerability.

Yaara Shriki

A security researcher at Wiz who co-authored the blog post on the Gogs vulnerability.

Manasseh Zhou

A security researcher who previously identified a remote code execution vulnerability (CVE-2024-55947) in Gogs.

Gogs

A self-hosted Git service that is widely used for hosting and managing Git repositories.

Got photos? Submit your photos here. ›

What they’re saying

“We must act quickly to address this critical vulnerability and protect our self-hosted Git infrastructure.”

— Gili Tikochinski, Security Researcher, Wiz

“This incident highlights the importance of keeping self-hosted software up-to-date and properly secured against emerging threats.”

— Yaara Shriki, Security Researcher, Wiz

What’s next

Gogs maintainers are working to develop a fix for the vulnerability, but in the meantime, administrators are advised to disable open-registration if it is not needed and reduce internet exposure by hosting self-hosted Git services behind a VPN.

The takeaway

This zero-day attack on Gogs servers underscores the critical need for vigilance and prompt patching when it comes to self-hosted software. Organizations must stay proactive in securing their infrastructure against emerging vulnerabilities to protect sensitive data and systems.