CISA Adds Actively Exploited Gogs Vulnerability to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-8110, a remote code execution (RCE) vulnerability in the Gogs self-hosted Git service, to its Known Exploited Vulnerabilities (KEV) Catalog. The flaw has been under active exploitation since at least July 2025, despite only being formally cataloged in December.
Researchers at Wiz uncovered the campaign while investigating a malware-infected system, later identifying widespread abuse of the vulnerability a bypass of a previous Gogs RCE flaw (CVE-2024-55947). The issue stems from an incomplete patch that failed to account for symbolic links, allowing attackers to overwrite files outside repositories and execute arbitrary commands.
As of December 2025, over 1,400 internet-facing Gogs instances were detected, with more than half compromised by Supershell-based malware. Infected systems shared a distinct pattern: eight-character random owner/repo names created around July 10, suggesting a single threat actor or coordinated group. While Gogs maintainers are working on a fix, no patch is currently available, leaving vulnerable instances exposed.
GOG cybersecurity rating report: https://www.rankiteo.com/company/gogcom
"id": "GOG1768273478",
"linkid": "gogcom",
"type": "Vulnerability",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Over 700 compromised instances',
'industry': 'IT & Software Development',
'location': 'Global (including Australia)',
'name': 'Gogs (self-hosted Git service)',
'type': 'Software'}],
'attack_vector': 'Exploitation of symbolic links bypass in Gogs',
'date_detected': '2025-07-10',
'date_publicly_disclosed': '2025-12-10',
'description': 'The United States Cybersecurity & Infrastructure Security '
'Agency (CISA) added CVE-2025-8110, a remote code execution '
'vulnerability in the Gogs self-hosted Git service, to its '
'Known Exploited Vulnerabilities Catalog. Active exploitation '
'has been ongoing since at least July 2025, with widespread '
'compromise of internet-facing instances.',
'impact': {'operational_impact': 'Arbitrary command execution on compromised '
'systems',
'systems_affected': '1,400 internet-facing Gogs instances (over '
'50% compromised)'},
'initial_access_broker': {'backdoors_established': 'Supershell-based malware',
'entry_point': 'Exploitation of CVE-2025-8110 '
'(symbolic links bypass)'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Awaiting patch from Gogs '
'maintainers',
'root_causes': 'Incomplete fix for CVE-2024-55947 '
'(symbolic links not accounted '
'for)'},
'ransomware': {'ransomware_strain': 'Supershell-based malware'},
'recommendations': 'Patch Gogs instances once a fix is available; monitor for '
'suspicious repository activity (e.g., random 8-character '
'owner/repo names).',
'references': [{'date_accessed': '2025-12-10', 'source': 'Wiz Blog Post'},
{'source': 'CISA Known Exploited Vulnerabilities Catalog'}],
'regulatory_compliance': {'regulatory_notifications': "Added to CISA's Known "
'Exploited '
'Vulnerabilities '
'Catalog'},
'response': {'remediation_measures': 'Maintainers working on a fix (unpatched '
'as of writing)',
'third_party_assistance': 'Wiz (cloud security firm)'},
'threat_actor': 'Unknown (likely single actor or group using Supershell-based '
'malware)',
'title': 'CVE-2025-8110 Exploitation in Gogs Self-Hosted Git Service',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-8110'}