Attention all tech enthusiasts and cybersecurity professionals: A silent but deadly threat is lurking in the shadows of a widely-used self-hosted Git service, Gogs, and it’s already wreaking havoc. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has recently added CVE-2025-8110 to its Known Exploited Vulnerabilities Catalog, but here’s the shocking part—this vulnerability has been under active attack since at least July 2025. That’s right, for over six months, hackers have been exploiting a remote code execution (RCE) flaw in Gogs, a tool trusted by developers worldwide for version control. But here’s where it gets even more alarming: this isn’t the first time Gogs has faced such a threat. CVE-2025-8110 is actually a bypass of a previously patched RCE vulnerability, CVE-2024-55947, which means the initial fix wasn’t foolproof.
Cloud security firm Wiz uncovered this alarming trend while investigating a single malware-infected machine. What they found was startling—evidence of widespread exploitation across numerous Gogs instances. In a detailed blog post (https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit), Wiz explained how attackers are leveraging a previously unknown flaw to compromise systems. The root of the problem? The earlier patch failed to account for Gogs’ use of symbolic links, which attackers are exploiting to overwrite files outside repositories, ultimately forcing systems to execute arbitrary commands. And this is the part most people miss: as of the latest reports, over half of the approximately 1,400 internet-facing Gogs instances—including several in Australia—have already been compromised by Supershell-based malware.
Wiz noted a striking pattern in the infected instances: all featured eight-character random owner/repo names created within a narrow time frame on July 10th. This consistency strongly suggests a single actor or a coordinated group using the same tools is behind the attacks. Despite the vulnerability being disclosed to Gogs maintainers, who are working on a fix, the exploitation continues unchecked. Is this a failure of patch management, or are we underestimating the sophistication of modern cybercriminals?
As of now, the issue remains unpatched, leaving countless systems at risk. For beginners in cybersecurity, this serves as a stark reminder of the importance of staying vigilant and ensuring all software is up-to-date. But here’s a thought-provoking question: In an era where vulnerabilities are discovered and exploited at lightning speed, are traditional patching methods still sufficient? Share your thoughts in the comments—do you think the cybersecurity community needs a radical new approach to combat such threats? Or is the onus on developers to build more resilient systems from the ground up?
About the Author: David Hollingworth (https://www.cyberdaily.au/authors/david-hollingworth) has been a technology journalist for over two decades, covering everything from gadgets to cybersecurity. His unique ability to simplify complex topics makes him a favorite among readers, especially when he finds ways to relate cybersecurity to everyday interests like Lego. Whether you’re a seasoned pro or just starting out, his insights are sure to keep you informed and entertained.
