The United States Cybersecurity and Infrastructure Security Agency has added a new remote code execution vulnerability impacting the Gogs self-hosted Git service to its Known Exploited Vulnerabilities Catalog.
While the vulnerability – CVE-2025-8110 – has only been added overnight, active exploitation of the bug has been ongoing since at least July 2025, according to cloud security firm Wiz.
Wiz’s researchers first discovered the malicious activity when investigating a single malware-infected machine, but quickly found evidence of widespread exploitation of CVE-2025-8110 – itself a bypass of a prior Gogs RCE vulnerability, CVE-2024-55947.
“During our analysis of the exploitation attempts, we identified that the threat actor was leveraging a previously unknown flaw to compromise instances,” Wiz said in a 10 December blog post outlining its findings.
“We responsibly disclosed this vulnerability to the maintainers. They are currently working on a fix, but active exploitation continues in the wild.”
The issue is that the prior fix did not take into account Gogs’ use of symbolic links, which can be exploited to overwrite target files outside any given repository, in turn leading to an attacker forcing the system to run arbitrary commands.
According to Wiz, at the time of writing, there were about 1,400 internet-facing instances of Gogs (including several in Australia), and more than half of them were already compromised by Supershell-based malware.
“All infected instances shared the same pattern: eight-character random owner/repo names created within the same short time window (July 10th),” Wiz said.
“This suggests that a single actor, or perhaps a group of actors all using the same tooling, are responsible for all infections.”
As of writing, the issue remains unpatched.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.