Attention all tech enthusiasts! A serious vulnerability has been identified in the widely-used self-hosted Git service, Gogs, and hackers are actively exploiting it. The United States Cybersecurity & Infrastructure Security Agency (CISA) has officially added CVE-2025-8110 to its list of vulnerabilities that are currently under active exploitation, following more than six months of malicious activity.
This newly recognized vulnerability, CVE-2025-8110 (you can find more details at https://www.cve.org/CVERecord?id=CVE-2025-8110), was only recently included in CISA's catalog, yet reports from the cloud security company Wiz confirm that attacks leveraging this flaw have been ongoing since at least July 2025.
You might wonder how this all came to light. Wiz's researchers initially stumbled upon the issue while examining a single machine infected with malware. Their investigation quickly revealed that this particular vulnerability was being exploited on a much larger scale than they had anticipated. In fact, CVE-2025-8110 is a bypass of an earlier RCE (Remote Code Execution) vulnerability known as CVE-2024-55947, which means it's built upon a previously existing security flaw.
In a blog post dated December 10, Wiz stated, "During our analysis of the exploitation attempts, we identified that the threat actor was leveraging a previously unknown flaw to compromise instances." They responsibly reported this vulnerability to Gogs' maintainers, who are now working diligently to develop a fix. However, the alarming reality is that active exploitation continues unabated.
The crux of the problem lies in the fact that the previous patch did not adequately address how Gogs utilizes symbolic links. This oversight allows attackers to overwrite files outside of designated repositories, potentially leading to unauthorized execution of arbitrary commands by the system.
As of now, Wiz estimates that there are roughly 1,400 instances of Gogs exposed to the internet—some of which are located in Australia—and shockingly, more than half of these instances have already fallen victim to malware based on the Supershell exploit.
Wiz noted, "All infected instances shared the same pattern: eight-character random owner/repo names created within the same short time window (July 10th)." This indicates that a single individual or possibly a group employing similar tools may be behind all the infections, raising significant concerns about the extent of this attack.
As it stands, the vulnerability remains unpatched, leaving countless systems open to exploitation. Have you ever considered the implications of such vulnerabilities in technology you depend on? Join the discussion and share your thoughts on how we can better secure our digital infrastructures.
