TL;DR
CISA has added a high‑severity path traversal flaw in the self‑hosted Git server Gogs to its Known Exploited Vulnerabilities list, directing federal civilian agencies to stop using the software or apply immediate mitigations. The bug (CVE-2025-8110) allows authenticated actors to overwrite files and achieve remote code execution; researchers say hundreds of exposed instances were already compromised and no vendor patch is available yet.
What happened
The Cybersecurity and Infrastructure Security Agency added a Gogs path traversal vulnerability, tracked as CVE-2025-8110, to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal civilian executive branch agencies to either remove the service or put it into a hardened configuration. The flaw was publicized by security researchers at Wiz in December after they discovered the issue in July while investigating a compromised machine. The vulnerability enables authenticated users to bypass protections and overwrite arbitrary files on the host, effectively enabling remote code execution. At disclosure, Wiz reported more than 700 internet‑accessible Gogs instances confirmed as compromised and roughly 1,400 reachable online. Gogs — a Go‑based self‑hosted Git service — has not released a fix, leaving administrators to implement workarounds such as disabling open registration and restricting network exposure behind VPNs or other controls.
Why it matters
- CISA remediation orders create mandatory, time‑sensitive requirements for federal civilian agencies, raising the stakes for organizations that rely on Gogs.
- A path traversal that permits arbitrary file overwrite can be escalated to remote code execution, posing broad risks to affected hosts and networks.
- Hundreds of confirmed compromises and many more exposed instances indicate active, ongoing exploitation rather than a theoretical risk.
- No vendor patch at the time of reporting forces operators to depend on mitigations that may be incomplete or difficult to apply reliably.
Key facts
- Vulnerability tracked as CVE-2025-8110 and described as a path traversal allowing arbitrary file overwrite.
- CISA added the flaw to its Known Exploited Vulnerabilities catalog and instructed federal civilian agencies to stop using Gogs or immediately apply mitigations.
- Wiz researchers discovered the issue in July and publicly flagged it in December during a malware investigation.
- More than 700 internet‑exposed Gogs instances were confirmed compromised at disclosure; about 1,400 instances were reachable online.
- Gogs is a self‑hosted Git server written in the Go programming language.
- As of the report, Gogs had not shipped a patch for the flaw; administrators have resorted to measures like disabling open registration and placing instances behind VPNs.
- The flaw bypasses a previous remediation because that fix did not properly account for symbolic links (symlinks).
- Wiz noted threat actors were observed using Supershell command‑and‑control and said they suspect an Asia‑based origin, but no definitive attribution was made.
What to watch next
- Whether the Gogs project releases an official patch that resolves CVE-2025-8110 (not confirmed in the source).
- How federal agencies respond to CISA's order — removal of Gogs versus application of compensating controls (not confirmed in the source).
- Any broader disclosure or attribution from law enforcement or security firms about who is conducting the exploitation and the scope of affected networks (not confirmed in the source).
Quick glossary
- Gogs: A self‑hosted Git service written in the Go programming language that lets users host repositories on their own servers or cloud instances.
- Path traversal: A class of vulnerability that allows an attacker to access files and directories outside the intended application directory, potentially leading to data exposure or system compromise.
- Known Exploited Vulnerabilities (KEV): A catalog maintained by CISA listing vulnerabilities that are known to be actively exploited and that require prioritized remediation by federal agencies.
- Remote code execution (RCE): A condition where an attacker can run arbitrary code on a target system, often leading to full system compromise.
- Symbolic link (symlink): A filesystem object that points to another file or directory; symlinks can complicate access controls if not handled securely.
Reader FAQ
Has Gogs released a patch for CVE-2025-8110?
The source reports that Gogs had not shipped a fix at the time of reporting.
Am I vulnerable if I run Gogs?
According to the reporting, any exposed Gogs instance should be considered vulnerable unless properly mitigated; the source warns exposed instances are at risk.
What did CISA require of federal agencies?
CISA added the flaw to its KEV list and directed federal civilian executive branch agencies to stop using Gogs or immediately apply mitigations to secure it.
Who is behind the attacks?
The source says researchers observed Supershell C2 and suspect actors in Asia but that no firm attribution was made.
SECURITY Federal agencies told to fix or ditch Gogs as exploited zero-day lands on CISA hit list Git server flaw that attackers have been abusing for months has now caught…
Sources
- Federal agencies told to fix or ditch Gogs as exploited zero-day lands on CISA hit list
- CISA Adds Gogs CVE-2025-8110 to KEV: Urgent Self-Hosted Git …
- CISA orders feds to patch Gogs RCE flaw exploited in zero- …
- CISA retires 10 emergency cyber orders in rare bulk closure
Related posts
- Scottish X accounts tied to Iran stop posting after Iran internet blackout
- Dutch appeals court upholds 7-year term for hacker who opened port to smugglers
- Data exfiltration via DNS resolution when allowLocalBinding: true