Key Findings:

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw impacting Gogs, a lightweight, open-source, self-hosted Git service, to its Known Exploited Vulnerabilities (KEV) catalog.

• The vulnerability, tracked as CVE-2025-8110, has a CVSS score of 8.7 and is a path traversal issue in the PutContents API that allows for local execution of code.

• The flaw is a bypass for a previously patched remote code execution (RCE) vulnerability, CVE-2024-55947, and allows attackers to overwrite files outside the repository and achieve RCE.

• Wiz Research discovered the vulnerability while investigating a malware incident and found over 700 compromised Gogs instances on the internet.

• CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to address the identified vulnerability by February 2, 2026, to protect their networks against attacks.

Background

Gogs (Go Git Service) is a lightweight, open-source, self-hosted Git service written in Go. The vulnerability CVE-2025-8110 is a path traversal issue in the PutContents API that allows for local execution of code. It is a bypass for an earlier RCE vulnerability, CVE-2024-55947, which was previously discovered and patched.

Vulnerability Details

• The vulnerability is an improper symbolic link handling in the PutContents API in Gogs that allows local execution of code.

• An attacker can create a symlink in a repository that points to a file outside the repo, then use the API to write through the symlink, causing the system to follow the link and overwrite the target file, like .git/config, enabling them to execute commands.

• This shows a repeated problem with symlink handling in Gogs, as the developers had previously patched a similar issue but did not properly address the symlink handling.

Exploitation and Impact

• Wiz Research discovered the vulnerability while investigating a malware incident and found over 700 compromised Gogs instances on the internet.

• The researchers observed suspicious repositories with random 8-character names, created shortly before the infection, indicating an automated attack.

• Expanding the search found approximately 1,400 exposed Gogs instances, with over 700 compromised, all showing the same patterns, suggesting a single actor or group using the same automated tools.

CISA Response

• CISA has added the vulnerability CVE-2025-8110 to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation.

• According to Binding Operational Directive (BOD) 22-01, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks.

• CISA has ordered federal agencies to fix the vulnerabilities by February 2, 2026.

• Experts recommend that private organizations also review the Catalog and address the vulnerabilities in their infrastructure.

Sources

• https://securityaffairs.com/186837/hacking/u-s-cisa-adds-a-flaw-in-gogs-to-its-known-exploited-vulnerabilities-catalog.html

• https://thehackernews.com/2026/01/cisa-warns-of-active-exploitation-of.html

• https://x.com/shah_sheikh/status/2010835175513432152

• https://x.com/securityaffairs/status/2010833273312739779

• https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-gogs-rce-flaw-exploited-in-zero-day-attacks/