Gogs Zero-Day Exploitation CVE-2025-8110
Targeted sectors
Undetermined; likely any organization using public-facing Gogs instances.
Countries
· Global
BLUF
Attackers are using a path traversal vulnerability in Gogs to achieve Remote Code Execution (RCE) and deploy resilient backdoors and proxy tools.
Date of first reported activity
· Publicly reported December 10, 2025
Date of last reported activity update
· December 10, 2025
APT names
· None attributed
Associated criminal organization names
· None specified.
IOCs
Varies by payload (PeerBlight, CowTunnel, ZinFoq); monitor Gogs server logs for anomalous outbound connections or file system changes.
TTPs
· T1190: Exploit Public-Facing Application (CVE-2025-8110)
· T1105: Ingress Tool Transfer (downloading additional payloads).
· T1071.001: Application Layer Protocol: Web Protocols (C2 communication over HTTP/S, BitTorrent DHT for fallback).
· T1048: Exfiltration Over Alternative Protocol (potential data exfiltration).
Malware names
PeerBlight (Linux backdoor using BitTorrent DHT C2)
CowTunnel (reverse proxy)
ZinFoq (Go-based post-exploitation implant)
Kaiji botnet variant
Malware sample
PeerBlight
sha256
a605a70d031577c83c093803d11ec7c1e29d2ad530f8e95d9a729c3818c7050d
URL to sample
hxxps://www.virustotal.com/gui/file/a605a70d031577c83c093803d11ec7c1e29d2ad530f8e95d9a729c3818c7050d
CowTunnel
Sha256
776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273
URL to sample
hxxps://www.virustotal.com/gui/file/776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273
ZinFoq post-exploitation
sha256
0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce
URL to sample
hxxps://www.virustotal.com/gui/file/0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce
Kaiji botnet variant
Sha256
c0450a97a026021cfbf25b5a7e33577de51d20b21948f02c3197b5c1f028af6e
URL to sample
hxxps://www.virustotal.com/gui/file/c0450a97a026021cfbf25b5a7e33577de51d20b21948f02c3197b5c1f028af6e
CVEs and CVSS Vectors
CVE-2025-8110
CVSS v4.0
· (8.7) AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/AU:Y/R:U/V:C
Scored by Wiz
Nessus ID
· There is no Tenable plugin ID at this time
Is this CVE on the KEV list
· Not at this time
Patch / Mitigation
URL to patch information
· There is no patch for this CVE at this time
Recommended Mitigation
Since an official patch is unavailable, security experts recommend the following immediate actions to protect your Gogs instance:
· Restrict Access: Place your Gogs service behind a VPN or limit access only to trusted users via IP allow-lists. This is the most effective immediate mitigation.
· Disable Open Registration: If your instance does not require public registration, disable the open-registration feature immediately (which is enabled by default in some installations).
· Monitor for Compromise: Look for indicators of compromise (IoCs), such as the creation of repositories with random 8-character names or unusual use of the PutContents API.
· Consider Migration: Due to the Gogs project's history of leaving high-priority vulnerabilities unaddressed, many security researchers recommend migrating to an actively maintained fork
Suggested rules / potential hunts
Suggested Suricata rules
Monitor for traffic related to BitTorrent DHT protocols on non-standard ports or unusual outbound connections from Gogs server IPs.
Suggested Sentinel rules
Monitor for Gogs application logs indicating file writes outside of the expected repository paths.
Suggested Splunk hunts
index=[your_gogs_index] OR index=[your_webserver_index] "CVE-2025-8110" OR file_path IN (/tmp/*, /var/www/html/*) source_process=*gogs* (Monitor for unusual file creation by Gogs processes).
Delivery method
· Exploitation of an internet-facing Gogs server vulnerability.
Email samples
· Not applicable; network exploitation, not email delivery.
References
NVD
hxxps://nvd.nist.gov/vuln/detail/CVE-2025-8110
Huntress
· hxxps://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell
Wizz Research
· hxxps://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
SEC Alerts
· hxxps://secalerts.co/vulnerability/CVE-2025-8110
