Alerts

Gogs RCE Actively Exploited: CISA Adds CVE-2025-8110 to KEV Catalog

Gogs, a lightweight and self-hosted Git service commonly used as an alternative to GitHub Enterprise or GitLab, has become the focus of urgent U.S. federal cybersecurity action. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Gogs vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, citing confirmed active exploitation in the wild.

The vulnerability, CVE-2025-8110, is a high-severity path traversal flaw that enables remote code execution. Its inclusion in the KEV Catalog triggers mandatory remediation requirements for federal agencies and serves as a strong warning to private organizations running exposed Gogs instances.

Why This Matters

Gogs is widely deployed due to its simplicity and ease of self-hosting, but many instances are exposed directly to the internet with minimal security controls. When compromised, these systems can provide attackers with access to sensitive source code, credentials, and automation scripts—often serving as a gateway to broader enterprise environments.

CVE-2025-8110 at a Glance

The vulnerability originates in Gogs’ PutContents API, which handles file writes to repositories. Authenticated attackers can abuse symbolic links to overwrite files outside repository boundaries, bypassing protections added for a previous flaw (CVE-2024-55947).

By modifying Git configuration files—specifically the sshCommand setting—attackers can execute arbitrary commands on the host system, resulting in full remote code execution.

Active Exploitation and Impact

The flaw was discovered by Wiz Research during a malware investigation involving an internet-facing Gogs server. Although reported in July, the issue was not acknowledged until late October, and patches were released only recently.

Attackers did not wait. Wiz observed active zero-day exploitation beginning November 1, with threat actors scanning for exposed Gogs instances and rapidly deploying payloads. Researchers identified over 1,400 exposed servers, more than 700 of which showed signs of compromise.

CISA Response and Federal Mandate

On January 12, 2026, CISA officially added CVE-2025-8110 to its KEV Catalog, noting that path traversal vulnerabilities are a frequent attack vector and pose significant risk to the federal enterprise.

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by the assigned deadline. While the directive applies only to federal agencies, CISA strongly urges all organizations to prioritize KEV remediation as part of standard vulnerability management practices.

Recommended Mitigations

Organizations running Gogs should immediately:

Apply the latest security patch
Disable open user registration
Restrict access via VPNs or IP allow lists
Audit logs for suspicious PutContents API activity

Reducing internet exposure remains the most effective risk-reduction measure.

Key Takeaway

CVE-2025-8110 highlights a growing reality: developer platforms are now high-value attack targets. Inclusion in CISA’s KEV Catalog confirms real-world exploitation and elevates this issue beyond routine patching. Organizations that treat developer tools as low-risk infrastructure are increasingly vulnerable to rapid, large-scale compromise.

GitHub Confirms TeamPCP Breach of 3,800 Internal Repositories After Employee Installed Poisoned VS Code Extension

GitHub has confirmed that approximately 3,800 internal repositories were compromised after a TeamPCP supply chain attack that began with a single employee installing a poisoned Visual Studio Code extension. The breach was announced on Tuesday after TeamPCP posted claims on an underground forum offering GitHub's stolen source

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version

Grafana Confirms GitHub Breach After Coinbase Cartel Demands Ransom — Codebase Stolen via Compromised Token

Grafana Labs has confirmed a data breach after attackers used a compromised token to access the company's GitHub environment and download its entire codebase. The open source visualization and analytics platform disclosed the incident on Sunday, two days after cybercrime group Coinbase Cartel listed Grafana on its leak

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version