Attention all tech enthusiasts and cybersecurity professionals: A silent but deadly threat is lurking in the shadows of a widely-used self-hosted Git service, Gogs, and hackers are already exploiting it. But here's where it gets even more alarming—this isn't a new issue. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has officially added CVE-2025-8110 to its Known Exploited Vulnerabilities Catalog, but this vulnerability has been under active attack since at least July 2025, according to cloud security experts at Wiz. And this is the part most people miss: this flaw is actually a bypass of a previously patched Gogs vulnerability, CVE-2024-55947, highlighting a critical oversight in the initial fix.
The heart of the problem lies in Gogs’ handling of symbolic links, which attackers can exploit to overwrite files outside the intended repository. This allows them to execute arbitrary commands on the system, effectively hijacking it. Wiz researchers stumbled upon this issue while investigating a single malware-infected machine, only to uncover widespread exploitation across the globe. At the time of their report, approximately 1,400 internet-facing Gogs instances were identified, with over half already compromised by Supershell-based malware. What’s particularly chilling is the uniformity of the attacks—all infected instances featured eight-character random owner/repo names created on the same day, strongly suggesting a coordinated campaign by a single actor or group.
But here’s the controversial part: While the maintainers of Gogs are working on a patch, the vulnerability remains unaddressed as of this writing, leaving countless systems at risk. This raises a critical question: Are developers and organizations doing enough to prioritize security in their self-hosted solutions? Or are they inadvertently creating backdoors for attackers by overlooking edge cases like symbolic link exploitation?
For beginners, here’s a simplified breakdown: Think of a symbolic link as a shortcut in your file system. If not properly secured, attackers can use these shortcuts to access or modify files they shouldn’t, turning a seemingly harmless feature into a powerful weapon. This oversight in the initial patch for CVE-2024-55947 is a stark reminder that cybersecurity is a game of cat and mouse, where every detail matters.
As of now, the race is on to patch this vulnerability before more systems fall victim. But the bigger question remains: How can we ensure that fixes address the root cause, not just the symptoms? We’d love to hear your thoughts—do you think developers are doing enough to secure self-hosted services like Gogs? Or is this just the tip of the iceberg in a much larger security challenge? Share your opinions in the comments below.
Written by David Hollingworth, a seasoned tech journalist with over 20 years of experience, who finds joy in unraveling complex cybersecurity topics—especially when they intersect with his love for Lego.
