CISA Flags Actively Exploited Gogs Path Traversal Leading to RCE (CVE-2025-8110)
CISA added CVE-2025-8110 affecting the Gogs self-hosted Git service to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch (FCEB) agencies under BOD 22-01. The issue is described as a path traversal weakness that can be leveraged for remote code execution (RCE) in real-world attacks, increasing risk for organizations running Internet-exposed Gogs instances.
Technical reporting indicates the flaw resides in the PutContents API and can be abused by authenticated attackers using symbolic links to write outside a repository and overwrite sensitive files; one described route to code execution is overwriting Git configuration (e.g., sshCommand) to force arbitrary command execution. Wiz Research tied the vulnerability to observed malware activity on an Internet-facing Gogs server and reported large-scale exposure and compromise signals across the ecosystem (including thousands of exposed servers and hundreds showing signs of compromise), with exploitation observed as a zero-day prior to patch availability; CISA’s KEV action formalizes the exploitation status and elevates patching priority for both government and non-government operators.
Timeline
Jan 12, 2026
CISA orders federal agencies to remediate Gogs flaw by Feb. 2
With the KEV listing, CISA directed Federal Civilian Executive Branch agencies to remediate CVE-2025-8110 under Binding Operational Directive 22-01 by February 2, 2026. Guidance also included mitigations such as disabling open registration and restricting access to Gogs instances.
Jan 12, 2026
CISA adds CVE-2025-8110 to the KEV catalog
On January 12, 2026, CISA added the actively exploited Gogs vulnerability CVE-2025-8110 to its Known Exploited Vulnerabilities catalog. CISA said the flaw posed significant risk and urged organizations to prioritize remediation.
Jan 5, 2026
Patches for CVE-2025-8110 are released
Gogs released patches for CVE-2025-8110 in early January 2026, about a week before CISA's KEV announcement. The fixes addressed the symlink-based path traversal that enabled remote code execution.
Dec 1, 2025
Wiz reports large-scale exposure and compromise of Gogs servers
By late 2025, Wiz reported that roughly 1,400 Gogs instances were exposed to the internet and more than 700 public-facing instances showed signs of compromise. The company said the exploitation appeared widespread and likely driven by a single actor or toolset.
Nov 1, 2025
Wiz observes second wave of zero-day exploitation
On November 1, 2025, Wiz observed a second wave of in-the-wild exploitation targeting internet-facing Gogs instances. The activity appeared automated and involved indicators such as suspicious repositories with random eight-character names.
Oct 30, 2025
Gogs maintainers acknowledge the vulnerability report
Gogs maintainers acknowledged Wiz's report of CVE-2025-8110 on October 30, 2025. This marked the vendor's formal recognition of the issue before broader disclosure and remediation guidance.
Jul 17, 2025
Wiz reports CVE-2025-8110 to Gogs maintainers
Wiz reported the newly discovered Gogs vulnerability to the project's maintainers on July 17, 2025. The flaw was described as a bypass of the earlier CVE-2024-55947 fix through improper symbolic link handling.
Jul 1, 2025
Wiz discovers Gogs flaw during July malware investigation
Wiz Research identified CVE-2025-8110, a path traversal and symlink-handling flaw in Gogs' PutContents API, while investigating a malware infection on an internet-facing Gogs server in July 2025. The issue could let authenticated attackers write outside a repository and achieve remote code execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Sources
1 more from sources like securityaffairs
Related Stories
Remote Code Execution via File Overwrite in Gogs PutContents API
A critical vulnerability, tracked as CVE-2025-8110, has been identified in the PutContents API of the *Gogs* self-hosted Git service. The flaw arises from improper handling of symbolic links, allowing remote, authenticated attackers to overwrite arbitrary files on the server. Successful exploitation enables attackers to execute arbitrary code with the privileges of the Gogs server process, potentially leading to full system compromise. Security researchers have reported that this vulnerability is being actively exploited in the wild, and it affects Gogs versions 0.13.3 and prior. Currently, there is no patched version available to address CVE-2025-8110. Administrators are advised to disable auto-registration of users and avoid exposing Gogs instances to the internet as temporary mitigations. Detection of vulnerable systems can be performed using specific queries to identify Gogs installations, such as searching for HTTP services with a known favicon hash. Organizations running Gogs should prioritize mitigation steps to reduce the risk of exploitation until an official fix is released.
1 months ago
Multiple Critical Vulnerability Disclosures Across Gogs, Jinjava, and Kubernetes Local Path Provisioner
Several **high-severity vulnerability disclosures** were published across widely used developer and infrastructure components, with impacts ranging from **remote code execution (RCE)** to **account takeover** and **arbitrary host file writes**. In *Gogs* (self-hosted Git service), three CVEs were reported: **CVE-2025-64111** (CVSS 9.3) enables RCE by bypassing checks in `UpdateRepoFile` to modify `.git/config` via the API (described as an insufficient fix for an earlier issue); **CVE-2025-64175** (CVSS 7.7) allows a **cross-account 2FA recovery-code bypass** in versions `0.13.3` and earlier if an attacker already has a victim’s username/password; and **CVE-2026-24135** (CVSS 7.2) is a wiki rename path traversal that can delete arbitrary files by manipulating `old_title`. Separately, *Jinjava* (HubSpot CMS template engine) disclosed **CVE-2026-25526** (CVSS 9.8), a sandbox escape chain that permits arbitrary Java code execution by abusing `ForTag` iteration behavior (Bean ELResolver restriction bypass) and `ObjectMapper`-based JSON deserialization to instantiate disallowed classes. A critical Kubernetes storage issue was also disclosed in *Kubernetes Local Path Provisioner*: **CVE-2025-62878** (CVSS 10.0) allows directory traversal via the `parameters.pathPattern` setting, enabling a user who can create storage resources to provision volumes in arbitrary host locations (e.g., `/etc`) and potentially overwrite sensitive files on cluster nodes. In parallel to these product flaws, separate research reported widespread **exposure of Git metadata** on the public internet—approximately **4.96 million** IPs with accessible `.git` directories and **250,000+** exposing `.git/config` files that may contain deployment credentials—highlighting a common, high-impact misconfiguration pattern that can enable source code reconstruction and secret theft. Active exploitation activity was reported for *Ivanti Endpoint Manager Mobile (EPMM)* involving **CVE-2026-1281** and **CVE-2026-1340**, where attackers were observed dropping `/mifs/403.jsp` and using a Base64-delivered Java class loader designed for delayed, in-memory activation rather than immediate interactive webshell use.
1 months ago
CISA Flags Actively Exploited Microsoft Configuration Manager RCE (CVE-2024-43468)
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) added **CVE-2024-43468** to its Known Exploited Vulnerabilities (KEV) catalog after determining the flaw is being **actively exploited in the wild**. The vulnerability is a **critical (CVSS 9.8) SQL injection** in *Microsoft Configuration Manager* (ConfigMgr/SCCM) that can allow an **unauthenticated remote attacker** to achieve **remote code execution** by sending specially crafted requests, enabling command execution on the ConfigMgr server and/or its underlying site database with **high/`SYSTEM`-level impact**. CISA set a remediation deadline of **March 5** for U.S. Federal Civilian Executive Branch agencies under its Binding Operational Directive requirements; public reporting noted Microsoft’s advisory had previously assessed exploitation as “less likely,” and Microsoft had not (as of reporting) publicly detailed the threat actors or scope of exploitation. The issue was originally patched by Microsoft in **October 2024** after being reported by **Synacktiv**, and proof-of-concept exploit code was later published (including by Synacktiv), lowering the barrier to weaponization. Separate CISA KEV updates the same week also drove patching urgency across other widely deployed products (including **SolarWinds Web Help Desk** and multiple **Apple** platforms for a reportedly “extremely sophisticated” targeted attack), reinforcing that organizations should treat KEV additions as a high-confidence signal to accelerate patching and exposure reduction—particularly for internet-reachable management tooling like ConfigMgr that can provide broad administrative control if compromised.
1 months ago