Gogs RCE Actively Exploited: CISA Adds CVE-2025-8110 to KEV Catalog

Gogs, a lightweight and self-hosted Git service commonly used as an alternative to GitHub Enterprise or GitLab, has become the focus of urgent U.S. federal cybersecurity action. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Gogs vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, citing confirmed active exploitation in the wild.

The vulnerability, CVE-2025-8110, is a high-severity path traversal flaw that enables remote code execution. Its inclusion in the KEV Catalog triggers mandatory remediation requirements for federal agencies and serves as a strong warning to private organizations running exposed Gogs instances.

Why This Matters

Gogs is widely deployed due to its simplicity and ease of self-hosting, but many instances are exposed directly to the internet with minimal security controls. When compromised, these systems can provide attackers with access to sensitive source code, credentials, and automation scripts—often serving as a gateway to broader enterprise environments.

CVE-2025-8110 at a Glance

The vulnerability originates in Gogs’ PutContents API, which handles file writes to repositories. Authenticated attackers can abuse symbolic links to overwrite files outside repository boundaries, bypassing protections added for a previous flaw (CVE-2024-55947).

By modifying Git configuration files—specifically the sshCommand setting—attackers can execute arbitrary commands on the host system, resulting in full remote code execution.

Active Exploitation and Impact

The flaw was discovered by Wiz Research during a malware investigation involving an internet-facing Gogs server. Although reported in July, the issue was not acknowledged until late October, and patches were released only recently.

Attackers did not wait. Wiz observed active zero-day exploitation beginning November 1, with threat actors scanning for exposed Gogs instances and rapidly deploying payloads. Researchers identified over 1,400 exposed servers, more than 700 of which showed signs of compromise.

CISA Response and Federal Mandate

On January 12, 2026, CISA officially added CVE-2025-8110 to its KEV Catalog, noting that path traversal vulnerabilities are a frequent attack vector and pose significant risk to the federal enterprise.

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by the assigned deadline. While the directive applies only to federal agencies, CISA strongly urges all organizations to prioritize KEV remediation as part of standard vulnerability management practices.

Recommended Mitigations

Organizations running Gogs should immediately:

• Apply the latest security patch
• Disable open user registration
• Restrict access via VPNs or IP allow lists
• Audit logs for suspicious PutContents API activity

Reducing internet exposure remains the most effective risk-reduction measure.

Key Takeaway

CVE-2025-8110 highlights a growing reality: developer platforms are now high-value attack targets. Inclusion in CISA’s KEV Catalog confirms real-world exploitation and elevates this issue beyond routine patching. Organizations that treat developer tools as low-risk infrastructure are increasingly vulnerable to rapid, large-scale compromise.