CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active Exploitation of Gogs Zero-Day Vulnerability

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A high-severity zero-day vulnerability (CVE-2025-8110, CVSS 8.7) in Gogs, a self-hosted Git service, is being actively exploited across over 700 internet-accessible instances. The flaw allows arbitrary code execution by bypassing a previously patched remote code execution vulnerability (CVE-2024-55947). The attacks involve deploying malware based on the Supershell C2 framework, linked to Chinese hacking groups. The vulnerability stems from a path traversal weakness in the PutContents API, enabling attackers to overwrite sensitive files and execute arbitrary commands. The attacks appear to be part of a 'smash-and-grab' campaign, with repositories left behind on compromised systems. As of now, there is no patch available for CVE-2025-8110, and users are advised to disable open registration, limit internet exposure, and scan for suspicious repositories. A second wave of attacks was observed on November 1, 2025, and the malware communicates with a command-and-control server at 119.45.176[.]196.

Timeline

  1. 11.12.2025 12:30 2 articles · 3h ago

    Gogs Zero-Day Vulnerability Exploited in Active Attacks

    A high-severity zero-day vulnerability (CVE-2025-8110) in Gogs is being actively exploited across over 700 internet-accessible instances. The flaw allows arbitrary code execution by bypassing a previously patched remote code execution vulnerability (CVE-2024-55947). The attacks involve deploying Supershell-based malware and leaving behind repositories with random 8-character names. The vulnerability stems from a path traversal weakness in the PutContents API, enabling attackers to overwrite sensitive files and execute arbitrary commands. The malware communicates with a command-and-control server at 119.45.176[.]196. A second wave of attacks was observed on November 1, 2025. The vulnerability remains unpatched, and users are advised to take protective measures.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical vulnerabilities in Elementor King Addons plugin affect 10,000 WordPress sites

The Elementor King Addons plugin, used by over 10,000 WordPress sites, has two unauthenticated critical vulnerabilities. These flaws can lead to full site takeovers. The vulnerabilities include an arbitrary file upload flaw (CVE-2025-6327) and a privilege escalation issue (CVE-2025-6325). The plugin's vendor has released version 51.1.37 to address these issues. The arbitrary file upload vulnerability allows attackers to place files in web-accessible directories due to improper nonce handling and file validation. The privilege escalation flaw permits attackers to create administrator accounts by exploiting the registration endpoint. A critical security flaw, CVE-2025-8489 (CVSS score: 9.8), is under active exploitation, allowing unauthenticated attackers to grant themselves administrative privileges. The vulnerability affects versions from 24.12.92 through 51.1.14 and was patched in version 51.1.35 released on September 25, 2025. Site administrators should update the plugin immediately, audit their environments for any suspicious admin users, and monitor for any signs of abnormal activity. The flaw in the plugin’s registration handler allows anyone signing up to specify their user role on the website, including the administrator role, without enforcing any restrictions. Attackers send a crafted 'admin-ajax.php' request specifying 'user_role=administrator,' to create rogue admin accounts on targeted sites. The peak in exploitation activity occurred between November 9 and 10, with two IP addresses being the most active: 45.61.157.120 (28,900 attempts) and 2602:fa59:3:424::1 (16,900 attempts). Wordfence provides a list of offensive IP addresses and recommends that website administrators look for them in the log files.

Open in new tab

Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched

The critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT has been actively exploited by the cybercrime group Storm-1175 in Medusa ransomware attacks since at least September 11, 2025. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. Fortra has released patches in versions 7.8.4 and 7.6.3. The vulnerability was disclosed on September 18, 2025, but exploitation began a week earlier. The Shadowserver Foundation is monitoring over 513 GoAnywhere MFT instances exposed online, although the number of patched instances is unknown. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability enables an attacker to bypass signature verification by crafting a forged license response signature, allowing the deserialization of arbitrary, attacker-controlled objects. Successful exploitation could result in command injection and potential remote code execution (RCE) on the affected system. The threat actor used legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent to launch binaries following exploitation. The threat actor utilized RMM tools to establish command-and-control (C2) infrastructure and set up a Cloudflare tunnel for secure C2 communication. The deployment and execution of Rclone was observed in at least one victim environment during the exfiltration stage. Medusa ransomware has over 300 global victims in critical infrastructure sectors, including a confirmed attack on a US healthcare organization in early 2025. Fortra began investigating the vulnerability on September 11, 2025, following a customer report. Fortra contacted on-premises customers with publicly accessible admin consoles and notified law enforcement on September 11, 2025. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released on September 12, 2025. Full patches for versions 7.6.3 and 7.8.4 were released on September 15, 2025. The CVE for the vulnerability was formally published on September 18, 2025. Fortra confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. Fortra recommends restricting admin console access over the internet and enabling monitoring. watchTowr CEO and founder Benjamin Harris reiterated the need for transparency from Fortra regarding the private keys used in the exploit.

Open in new tab

Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment

Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems.

Open in new tab

Public exploit for chained SAP NetWeaver flaws enables remote code execution

A new exploit combining two critical vulnerabilities in SAP NetWeaver has been publicly released. The exploit chains CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution. The flaws were patched in April and May 2025 but were exploited as zero-days since at least March. Multiple threat actors, including ransomware groups and espionage crews, have weaponized these vulnerabilities. The exploit allows unauthenticated attackers to execute arbitrary commands, upload files, and take over affected systems. The exploit was released on a Telegram channel representing Scattered Spider, ShinyHunters, and LAPSUS$. The vulnerabilities can also be reused in other contexts, potentially affecting additional SAP deserialization flaws patched in July 2025. The attack chain involves using CVE-2025-31324 to access critical functionality and then exploiting CVE-2025-42999 to deserialize the payload and execute code with SAP system privileges. Organizations should apply SAP Security Note 3594142 and Security Note 3604119 to protect against this exploit.

Open in new tab

Erlang/OTP SSH RCE Exploits Targeting OT Firewalls

A surge in exploitation of CVE-2025-32433, a critical security flaw in Erlang/OTP SSH, has been observed since May 2025. Approximately 70% of these exploits target operational technology (OT) firewalls. This vulnerability, patched in April 2025, allows attackers to execute arbitrary code on vulnerable systems without authentication. The attacks have primarily affected healthcare, agriculture, media, entertainment, and high technology sectors in the U.S., Canada, Brazil, India, Australia, Japan, the Netherlands, Ireland, and France. The exploitation involves using reverse shells to gain unauthorized remote access to target networks. The specific threat actors behind these efforts remain unidentified. The flaw is due to improper state enforcement in the Erlang/OTP SSH daemon, allowing unauthenticated clients to execute commands by sending SSH connection protocol messages to open SSH ports. The flaw has been exploited to create TCP connections and bind them to a shell, allowing interactive command execution over the network. The flaw could have severe consequences on an organization, their network, and operations, including the compromise of sensitive information and disruption of operations.

Open in new tab