Critical Gogs Vulnerability (CVE-2025-8110) Actively Exploited in the Wild
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about CVE-2025-8110, a high-severity flaw in Gogs, the self-hosted Git service, now under active exploitation. The vulnerability, rated 8.7 (CVSS v4.0), has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming real-world attacks.
The flaw stems from improper handling of symbolic links in Gogs’ PutContents API, allowing authenticated users to overwrite files outside a repository and achieve remote code execution (RCE). Attackers exploit this by committing a symbolic link to a repository and then writing to it via the API, enabling them to modify critical files such as Git’s sshCommand configuration to execute arbitrary code.
Discovery & Exploitation Timeline
Researchers at Wiz uncovered the vulnerability while investigating a malware infection in a customer’s system. Their analysis revealed that attackers had been abusing the flaw as a zero-day, bypassing protections introduced for a similar issue (CVE-2024-55947) in 2024. Since July 2025, multiple waves of attacks have been observed, with threat actors deploying malware linked to the Supershell command-and-control (C2) framework.
Scope of Exposure
Wiz identified over 700 compromised Gogs instances, while Censys data indicates 1,602 publicly exposed Gogs servers, primarily in China, the U.S., and Germany. The vulnerability affects Gogs versions up to 0.13.3, with no official patch currently available. However, code fixes have been submitted to the project’s main branch, and updated releases are expected soon.
Mitigation & Response
CISA has mandated Federal Civilian Executive Branch agencies to apply mitigations by February 2, 2026. Until a patch is released, organizations are advised to:
- Disable open registration if unnecessary.
- Restrict access via VPN or IP allow-listing.
- Monitor for suspicious activity, including repositories with random eight-character names or unusual API usage.
With exploitation ongoing, exposed Gogs instances remain at high risk. Administrators are urged to treat the threat as immediate and implement defensive measures.
Source: https://www.infosecurity-magazine.com/news/cisa-flags-exploited-gogs-flaw-no/
Wiz cybersecurity rating report: https://www.rankiteo.com/company/wiz
"id": "WIZ1768387058",
"linkid": "wiz",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 700 compromised instances '
'(1602 exposed servers)',
'industry': 'Software/Version Control',
'location': 'Global (highest concentrations in China, '
'US, and Germany)',
'name': 'Gogs',
'type': 'Self-hosted Git service'}],
'attack_vector': 'Improper handling of symbolic links in Gogs’ PutContents '
'API',
'date_detected': '2025-07',
'description': 'A high-severity security flaw (CVE-2025-8110) in the '
'self-hosted Git service Gogs is being actively exploited, '
'allowing authenticated users to overwrite files outside a '
'repository and achieve remote code execution (RCE). The '
'vulnerability has been added to CISA’s Known Exploited '
'Vulnerabilities (KEV) catalog due to confirmed real-world '
'attacks. Over 700 compromised Gogs instances have been '
'identified, with attackers deploying malware linked to the '
'Supershell C2 framework.',
'impact': {'brand_reputation_impact': 'High (due to active exploitation and '
'public disclosure)',
'operational_impact': 'Remote code execution on affected servers',
'systems_affected': 'Gogs servers (versions up to 0.13.3)'},
'initial_access_broker': {'entry_point': 'Exploitation of CVE-2025-8110 '
'(symbolic link handling in Gogs '
'API)'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Code changes submitted to '
'the project’s main branch; '
'patch pending for Gogs '
'versions 0.13.3 and earlier',
'root_causes': 'Improper handling of symbolic '
'links in Gogs’ PutContents API, '
'allowing authenticated users to '
'overwrite files outside a '
'repository'},
'recommendations': ['Disable open registration if not required',
'Restrict access to Gogs servers using VPN or IP '
'allow-list',
'Monitor for repositories with random eight-character '
'names or unusual API usage',
'Assume exposed instances are at high risk until patched'],
'references': [{'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'Catalog'},
{'source': 'Wiz Research'},
{'source': 'Censys'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA KEV catalog '
'addition (Federal '
'Civilian Executive '
'Branch agencies '
'directed to mitigate '
'by February 2, 2026)'},
'response': {'containment_measures': ['Disable open registration if not '
'required',
'Restrict access to Gogs servers using '
'VPN or IP allow-list',
'Monitor for repositories with random '
'eight-character names or unusual API '
'usage'],
'enhanced_monitoring': 'Monitoring for unusual API usage and '
'repository names',
'remediation_measures': 'Code changes submitted to the project’s '
'main branch (patch pending)',
'third_party_assistance': 'Wiz researchers'},
'stakeholder_advisories': 'CISA directive for Federal Civilian Executive '
'Branch agencies to apply mitigations by February '
'2, 2026',
'title': 'Active Exploitation of CVE-2025-8110 in Gogs Self-Hosted Git '
'Service',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-8110'}