Attention! There is a significant vulnerability in the widely used self-hosted Git service, Gogs, that has become a target for cybercriminals.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a new remote code execution vulnerability, identified as CVE-2025-8110, in its catalog of vulnerabilities that are currently being actively exploited. This addition follows a pattern of malicious activity over the past six months that raises serious concerns for users.
While this vulnerability was added to the catalog just recently, it has been under active exploitation since at least July 2025, according to findings from Wiz, a cloud security firm.
But here’s where it gets controversial: the discovery of this vulnerability stems from Wiz's investigation of a single infected machine, which unexpectedly led to the revelation of extensive exploitation associated with CVE-2025-8110. This vulnerability turns out to be an enhancement of a prior issue related to remote code execution in Gogs, known as CVE-2024-55947.
Wiz explained in a blog post dated December 10 that during their analysis of the hacking attempts, they uncovered evidence indicating that the threat actors were exploiting a previously unknown flaw to gain unauthorized access to various Gogs instances. "We notified the developers about this critical issue,” they stated. “They are in the process of developing a fix, but unfortunately, exploitation is continuing unabated in the wild."
The core problem lies in the fact that the previous patch overlooked Gogs' use of symbolic links. This flaw allows attackers to overwrite files outside designated repositories, which can lead to arbitrary commands being executed on the system.
As it stands, Wiz reports that there are approximately 1,400 instances of Gogs exposed to the internet, including several located in Australia. Alarmingly, over half of these instances have already been compromised by malware that operates through a mechanism known as Supershell.
"All compromised instances displayed a common characteristic: they all had eight-character random owner/repo names that were created within a very brief time frame on July 10th," Wiz noted. This observation suggests that either a singular actor or a coordinated group employing similar tools is behind all these infections.
At the time of this report, the vulnerability remains unaddressed.
David Hollingworth, a seasoned technology writer with more than two decades of experience, continues to delve into the complexities of cybersecurity, often enjoying discussions that tie in his passion for technology with everyday interests such as Lego.
