Attention all developers and IT professionals: A critical security flaw in the widely-used self-hosted Git service, Gogs, is under active attack by hackers, putting countless systems at risk. But here's where it gets even more alarming—this isn't a new issue. The vulnerability, identified as CVE-2025-8110, has been exploited since at least July 2025, yet it was only recently added to the U.S. Cybersecurity & Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog. This delay raises questions about how such a significant threat slipped under the radar for so long.
The discovery of CVE-2025-8110 came from cybersecurity firm Wiz, which stumbled upon it while investigating a single malware-infected machine. And this is the part most people miss—this vulnerability is actually a bypass of a previously patched Gogs flaw, CVE-2024-55947. The earlier fix failed to account for Gogs’ use of symbolic links, which attackers are exploiting to overwrite files outside repositories, ultimately forcing systems to execute arbitrary commands. It’s a classic example of how incomplete patches can leave systems vulnerable to new, more sophisticated attacks.
Wiz’s research revealed that over half of the approximately 1,400 internet-facing Gogs instances—including several in Australia—were already compromised by Supershell-based malware. The infections shared a distinct pattern: eight-character random owner/repo names created on July 10th, suggesting a coordinated campaign by a single actor or group. Here’s the controversial part: despite the vulnerability being disclosed to Gogs maintainers, who are working on a fix, the issue remains unpatched as of this writing. This raises the question: Are self-hosted services like Gogs inherently more vulnerable due to their decentralized nature, or is this a failure of the broader cybersecurity ecosystem?
For beginners, this situation underscores the importance of staying vigilant about software updates and patches. Even if a vulnerability seems resolved, attackers often find creative ways to exploit overlooked weaknesses. But here’s a thought-provoking question for you: Should developers and organizations rely solely on maintainers for security, or is it time to adopt more proactive measures, like automated vulnerability scanning and stricter access controls?
As of now, the race is on to patch CVE-2025-8110 before more systems fall victim. If you’re using Gogs, prioritize updating your instance as soon as a fix is available. And for those interested in the technical details, Wiz’s full report (https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit) offers a deep dive into the exploit mechanics.
About the author: David Hollingworth has been covering technology for over two decades, with a growing passion for cybersecurity. When he’s not dissecting the latest threats, he enjoys exploring the intersection of tech and creativity—like building cybersecurity models with Lego. Follow his work for more insights into the ever-evolving world of cyber threats.
