The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-8110, a high-severity remote code execution flaw in Gogs (Go Git Service), to its Known Exploited Vulnerabilities (KEV) catalog. This self-hosted Git platform faces active exploitation, prompting federal agencies to remediate by February 2, 2026, under BOD 22-01 guidelines. Organizations running exposed Gogs instances must prioritize patching amid ongoing attacks.
Vulnerability Breakdown
CVE-2025-8110 stems from improper handling of symbolic links in Gogs’ PutContents API, allowing authenticated users to overwrite critical files like .git/config outside repository boundaries. This bypasses protections from the earlier CVE-2024-55947, enabling full RCE on servers. With a CVSS score of 8.7 (High), it impacts versions up to 0.13.3, where symlink validation fails during Git operations.
Discovered by Wiz Research in July 2025 while probing malware campaigns, the flaw exposes over 700 internet-facing Gogs servers to compromise. Attackers create random-named repositories, leverage low-privilege access, and deploy payloads such as Supershell C2 for persistence.
Active Exploitation and Threat Landscape
Exploitation surged post-disclosure in December 2025, with threat actors automating attacks on public instances. Compromised servers show rogue repositories and modified configs leading to webshell deployment. No zero-day evidence exists prior to patch awareness, but unpatched systems remain prime targets for supply chain attacks in DevOps environments.
CISA KEV Implications
Added to the KEV catalog on January 11-12, 2026, this entry underscores risks to self-hosted Git services mimicking GitHub. Federal entities face binding operational directives, while private sectors should align with similar urgency given the flaw’s simplicity and impact.
Mitigation and Remediation
Upgrade immediately to Gogs versions beyond 0.13.3, which address symlink traversal. Disable open registration, enforce VPN or IP restrictions, and audit repositories for anomalies. Scan for IOCs including unexpected .git/config alterations and monitor API abuse. Regular vulnerability management, aligned with NIST CSF 2.0, prevents lateral movement in enterprise setups.
