Imagine waking up to the news that over 700 instances of a popular self-hosted Git service are under active attack due to an unpatched, high-severity vulnerability. That’s exactly what’s happening with Gogs, a Go-based platform that’s now at the center of a brewing cybersecurity storm. According to a recent report by Wiz, a cloud security company, a zero-day flaw tracked as CVE-2025-8110 is being actively exploited, leaving hundreds of systems exposed. But here’s where it gets even more alarming: this isn’t just a theoretical risk—it’s already causing real-world damage. And this is the part most people miss: the vulnerability is a bypass of a previously patched issue, meaning attackers are exploiting a loophole that was supposed to be closed. Let’s break it down in a way that even beginners can understand.
The flaw lies in Gogs’ file update API, where improper handling of symbolic links allows attackers to execute arbitrary code locally. This isn’t just a minor oversight—it’s a critical failure with a CVSS score of 8.7, indicating high severity. The issue was first discovered in July 2025 when Wiz was investigating a malware infection on a customer’s machine. Interestingly, the fix for a similar vulnerability, CVE-2024-55947, patched in December 2024, was circumvented because Gogs allows symbolic links in repositories, which can point to files outside the repository. This oversight enables a four-step attack process:
- Create a standard Git repository.
- Commit a symbolic link pointing to a sensitive target.
- Use the PutContents API to write data to the symlink, overwriting the target file outside the repository.
- Overwrite the
.git/configfile to execute arbitrary commands.
The malware deployed in these attacks is believed to be based on Supershell, an open-source command-and-control framework favored by Chinese hacking groups. What’s particularly striking is the attackers’ carelessness—they left behind repositories with random 8-character names like "IV79VAew" and "Km4zoh4s" instead of deleting or privatizing them, suggesting a rushed, "smash-and-grab" campaign. Out of approximately 1,400 exposed Gogs instances, over 700 show signs of compromise, all linked to activity around July 10, 2025. Researchers believe a single actor or group is behind these infections, given the consistent tooling and timing.
But here’s where it gets controversial: While a fix for CVE-2025-8110 is in the works, it’s not here yet. In the meantime, users are left scrambling to protect themselves. Wiz recommends disabling open-registration, limiting internet exposure, and scanning for repositories with random 8-character names. However, some argue that these measures are reactive rather than proactive—shouldn’t platforms like Gogs prioritize robust security testing before vulnerabilities become zero-days? What do you think? Is this a failure of the open-source community, or an inevitable consequence of rapid development?
Adding to the urgency, Wiz also highlights another alarming trend: threat actors are targeting leaked GitHub Personal Access Tokens (PATs) to gain initial access to cloud environments and move laterally across platforms. With basic read permissions, attackers can use GitHub’s API to uncover secret names embedded in YAML code. If the PAT has write permissions, they can execute malicious code and erase their tracks. For instance, attackers have been observed exfiltrating secrets to their own webhook endpoints, bypassing GitHub Action logs entirely. This raises a critical question: Are we doing enough to secure our access tokens and secrets in an increasingly interconnected cloud ecosystem?
As we grapple with these issues, one thing is clear: the cybersecurity landscape is evolving faster than ever, and staying ahead requires constant vigilance. What steps are you taking to protect your systems? Let us know in the comments—we’d love to hear your thoughts and experiences. And don’t forget to follow us on Google News, Twitter, and LinkedIn for more exclusive insights into the ever-changing world of cybersecurity.
