Federal agencies told to fix or ditch Gogs as exploited zero-day lands on CISA hit list

Steven

Federal agencies told to fix or ditch Gogs as exploited zero-day lands on CISA hit list

Summary

CISA has added a high-severity path traversal vulnerability in the self-hosted Git service Gogs (CVE-2025-8110) to its Known Exploited Vulnerabilities (KEV) catalogue, ordering federal civilian executive branch agencies to remediate immediately or stop using the product. The flaw—first disclosed by Wiz researchers—lets authenticated users bypass protections, overwrite arbitrary files on the host and achieve remote code execution. Gogs has not yet shipped a patch; hundreds of exposed instances were already confirmed compromised and many more remain reachable online.

Key Points

  1. CISA added CVE-2025-8110 (path traversal) for Gogs to the KEV list, triggering urgent remediation requirements for federal agencies.
  2. The vulnerability permits authenticated users to overwrite arbitrary files on the host, enabling remote code execution.
  3. Wiz researchers discovered the issue after finding signs of active exploitation; a prior fix failed to account for symbolic links (symlinks), leaving a bypass.
  4. At disclosure, more than 700 internet-exposed Gogs instances were confirmed compromised and about 1,400 were reachable online.
  5. Gogs has not yet released a definitive fix; recommended stopgaps include disabling open registration, placing instances behind VPNs or firewalling, or discontinuing use until patched.
  6. Wiz notes suspected threat actors using Supershell C2 and suggests probable activity originating from Asia, though attribution remains unconfirmed.

Content summary

The US Cybersecurity and Infrastructure Security Agency (CISA) has escalated a Gogs path traversal vulnerability to its KEV catalogue because attackers have been weaponising it in the wild. The issue, tracked as CVE-2025-8110, was uncovered by Wiz security researchers who found that a previous remediation overlooked symlink handling, allowing an authenticated attacker to write arbitrary files and gain remote code execution. The vulnerability is easy to exploit with default settings; many public Gogs instances are compromised or reachable. Because no official patch is available yet, CISA’s advisory tells federal agencies to apply mitigations or stop using Gogs entirely if they cannot adequately protect instances.

Context and relevance

This is important for anyone who self-hosts developer tooling or manages infrastructure: Gogs is a lightweight Git server used in many environments, and a KEV listing means US federal agencies must act quickly. The incident is part of a broader trend of attackers abusing misconfigured or unpatched self-hosted services (similar recent incidents include exploited automation servers and database flaws). If you run Gogs—or host Git services that allow symlinks and open registration—assume exposure is possible and prioritise containment, network isolation and migration plans until a patch is available.

Why should I read this?

Short version: if Gogs lives anywhere on your network, stop whatever you’re doing and check it. CISA has flagged this as actively exploited and federal agencies have to act now — so this isn’t theoretical. If you manage servers, this could be the difference between a quick config change and a full-blown compromise. We read the detail so you don’t have to — go and lock it down or rip it out.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/13/cisa_gogs_exploit/