top of page
Search

CISA Adds Gogs Flaw to Known Exploited Vulnerabilities Catalog

  • Jan 13
  • 2 min read

Key Findings:


  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw impacting Gogs, a lightweight, open-source, self-hosted Git service, to its Known Exploited Vulnerabilities (KEV) catalog.

  • The vulnerability, tracked as CVE-2025-8110, has a CVSS score of 8.7 and is a path traversal issue in the PutContents API that allows for local execution of code.

  • The flaw is a bypass for a previously patched remote code execution (RCE) vulnerability, CVE-2024-55947, and allows attackers to overwrite files outside the repository and achieve RCE.

  • Wiz Research discovered the vulnerability while investigating a malware incident and found over 700 compromised Gogs instances on the internet.

  • CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to address the identified vulnerability by February 2, 2026, to protect their networks against attacks.


Background


Gogs (Go Git Service) is a lightweight, open-source, self-hosted Git service written in Go. The vulnerability CVE-2025-8110 is a path traversal issue in the PutContents API that allows for local execution of code. It is a bypass for an earlier RCE vulnerability, CVE-2024-55947, which was previously discovered and patched.


Vulnerability Details


  • The vulnerability is an improper symbolic link handling in the PutContents API in Gogs that allows local execution of code.

  • An attacker can create a symlink in a repository that points to a file outside the repo, then use the API to write through the symlink, causing the system to follow the link and overwrite the target file, like .git/config, enabling them to execute commands.

  • This shows a repeated problem with symlink handling in Gogs, as the developers had previously patched a similar issue but did not properly address the symlink handling.


Exploitation and Impact


  • Wiz Research discovered the vulnerability while investigating a malware incident and found over 700 compromised Gogs instances on the internet.

  • The researchers observed suspicious repositories with random 8-character names, created shortly before the infection, indicating an automated attack.

  • Expanding the search found approximately 1,400 exposed Gogs instances, with over 700 compromised, all showing the same patterns, suggesting a single actor or group using the same automated tools.


CISA Response


  • CISA has added the vulnerability CVE-2025-8110 to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation.

  • According to Binding Operational Directive (BOD) 22-01, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks.

  • CISA has ordered federal agencies to fix the vulnerabilities by February 2, 2026.

  • Experts recommend that private organizations also review the Catalog and address the vulnerabilities in their infrastructure.


Sources


  • https://securityaffairs.com/186837/hacking/u-s-cisa-adds-a-flaw-in-gogs-to-its-known-exploited-vulnerabilities-catalog.html

  • https://thehackernews.com/2026/01/cisa-warns-of-active-exploitation-of.html

  • https://x.com/shah_sheikh/status/2010835175513432152

  • https://x.com/securityaffairs/status/2010833273312739779

  • https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-gogs-rce-flaw-exploited-in-zero-day-attacks/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page