Gogs Internet-facing exploitation wave (CVE-2025-8110)
Exploitation Wave
Summary
Hide ▲
Show ▼
Gogs servers were caught in a broad active exploitation wave that left more than 700 compromised instances among 1,400+ exposed servers. The abuse centered on CVE-2025-8110, a path traversal flaw in the PutContents API that enabled remote code execution on internet-facing deployments. Researchers tracked the activity from July to November 2025, including a second wave on November 1, indicating sustained automated targeting. The scale and repeat activity meant publicly reachable Gogs instances remained at immediate risk until access was restricted and the flaw was patched.
Related Happenings
LMDeploy SSRF flaw (CVE-2026-33626, actively exploited)
Vulnerability
First: 24.04.2026 10:24
Last: 24.04.2026 10:24
Sources 1
About this happening:
**LMDeploy CVE-2026-33626** is being **actively exploited** within **13 hours** of disclosure, turning a **vision-language SSRF flaw** into a path to **cloud credentials** and **i...
LMDeploy SSRF flaw (CVE-2026-33626, actively exploited)
VulnerabilityAbout this happening: **LMDeploy CVE-2026-33626** is being **actively exploited** within **13 hours** of disclosure, turning a **vision-language SSRF flaw** into a path to **cloud credentials** and **i...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
Vulnerability
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
**CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
VulnerabilityAbout this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
Campaign
First: 02.04.2026 00:35
Last: 02.04.2026 00:35
Sources 1
About this happening:
The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
CampaignAbout this happening: The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation Wave
First: 26.03.2026 18:00
Last: 26.03.2026 18:00
Sources 1
About this happening:
**Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation WaveAbout this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
Oracle WebLogic actively exploited unauthenticated RCE flaw (CVE-2026-21962)
Vulnerability
First: 26.03.2026 18:00
Last: 26.03.2026 18:00
Sources 1
About this happening:
**Oracle WebLogic**'s **CVE-2026-21962** was being **actively exploited** almost immediately after public exploit code appeared, creating a **CVSS 10.0** unauthenticated RCE risk...
Oracle WebLogic actively exploited unauthenticated RCE flaw (CVE-2026-21962)
VulnerabilityAbout this happening: **Oracle WebLogic**'s **CVE-2026-21962** was being **actively exploited** almost immediately after public exploit code appeared, creating a **CVSS 10.0** unauthenticated RCE risk...
Timeline
-
01.11.2025 02:00 1 articles · 6mo ago
Second wave of Gogs exploitation observed on November 1
Exploitation ObservedA second wave of attacks against Internet-facing Gogs instances was observed on November 1, 2025, showing that active exploitation continued after the initial disclosure. The campaign continued to abuse the CVE-2025-8110 path traversal weakness in the PutContents API to gain remote code execution on exposed servers.
Show sources
- Hackers exploit unpatched Gogs zero-day to breach 700 servers — www.bleepingcomputer.com — 11.12.2025 15:19
-
30.10.2025 02:00 1 articles · 6mo ago
Gogs maintainers acknowledge CVE-2025-8110 while developing a patch
Mitigation Patch UpdateGogs maintainers acknowledged the CVE-2025-8110 flaw on October 30, 2025 while still developing a patch. The weakness is a path traversal issue in the PutContents API that lets symbolic links be abused to overwrite files outside the repository and bypass the prior CVE-2024-55947 fix.
Show sources
- Hackers exploit unpatched Gogs zero-day to breach 700 servers — www.bleepingcomputer.com — 11.12.2025 15:19
-
17.07.2025 03:00 2 articles · 10mo ago
Wiz Research discloses Gogs zero-day exploitation
Initial DisclosureWiz Research discovered an unpatched Gogs zero-day while investigating a malware infection on a customer's Internet-facing Gogs server in July 2025 and reported the flaw to Gogs maintainers on July 17, 2025. The investigation also linked the activity to over 1,400 publicly exposed Gogs servers, more than 700 compromised instances, random eight-character repository names, Supershell malware, and command-and-control traffic to 119.45.176[.]196.
Show sources
- Hackers exploit unpatched Gogs zero-day to breach 700 servers — www.bleepingcomputer.com — 11.12.2025 15:19
- Hackers exploit unpatched Gogs zero-day to breach 700 servers — www.bleepingcomputer.com — 11.12.2025 15:19