Attention all developers and IT professionals: Your self-hosted Git repositories might be at risk right now! A critical vulnerability in the popular self-hosted Git service, Gogs, has been actively exploited by hackers for over six months, and it’s causing quite a stir in the cybersecurity world. But here’s where it gets even more alarming: the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has officially added this flaw, identified as CVE-2025-8110, to its Known Exploited Vulnerabilities Catalog, signaling its severity and widespread impact.

This isn’t just another minor bug—it’s a remote code execution (RCE) vulnerability that allows attackers to take full control of affected systems. What’s particularly concerning is that this issue is a bypass of a previously patched vulnerability, CVE-2024-55947, which was supposed to have been fixed. So, how did this happen? The original patch overlooked Gogs’ use of symbolic links, which hackers are now exploiting to overwrite files outside repositories, enabling them to execute arbitrary commands on the system. And this is the part most people miss: even though the vulnerability was only recently added to CISA’s catalog, cloud security firm Wiz has been tracking its exploitation since at least July 2025.

Wiz’s researchers stumbled upon this threat while investigating a single malware-infected machine, but they quickly uncovered evidence of widespread attacks. In a December 10 blog post, Wiz detailed their findings, noting that the threat actor was using a previously unknown flaw to compromise Gogs instances. They responsibly disclosed the vulnerability to the maintainers, who are working on a fix, but the exploitation continues unchecked. Bold statement alert: As of now, over half of the approximately 1,400 internet-facing Gogs instances—including several in Australia—have already been compromised by Supershell-based malware.

Here’s a chilling detail: all infected instances followed the same pattern—eight-character random owner/repo names created within a short time window on July 10th. This strongly suggests that a single actor, or a coordinated group, is behind all these infections. But here’s the controversial part: could this be a case of insufficient testing in the initial patch, or is it a more systemic issue with how vulnerabilities are addressed in open-source projects? We’d love to hear your thoughts in the comments.

For now, the vulnerability remains unpatched, leaving countless systems exposed. If you’re using Gogs, it’s critical to monitor your instances closely and apply any fixes as soon as they become available. And remember, cybersecurity isn’t just about reacting to threats—it’s about staying one step ahead. So, what steps are you taking to protect your self-hosted repositories? Let’s start a conversation and share strategies to keep our systems safe.