CISA Orders Federal Agencies to Patch Actively Exploited Gogs Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive ordering federal agencies to patch a critical vulnerability in the Gogs self-hosted Git service that attackers are actively exploiting in zero-day attacks. The vulnerability, tracked as CVE-2025-8110, allows authenticated attackers to achieve remote code execution on vulnerable servers.

Understanding the Gogs Vulnerability

Gogs is a popular open-source Git service written in Go, designed as a lightweight alternative to GitLab and GitHub Enterprise. Many organizations expose Gogs servers online to facilitate remote collaboration, making them attractive targets for attackers.

The vulnerability stems from a path traversal weakness in Gogs' PutContents API. While Gogs had previously patched a similar RCE bug (CVE-2024-55947) by implementing protections to prevent file writes outside repository boundaries, CVE-2025-8110 bypasses these protections using symbolic links.

How the Attack Works

Attackers with authenticated access to a Gogs instance can:

1. Create a malicious repository containing symbolic links that point to sensitive system files outside the repository
2. Use the PutContents API to write data through these symlinks
3. Overwrite critical system files that would normally be protected

The most dangerous aspect of this attack is the ability to overwrite Git configuration files, specifically the sshCommand setting. By manipulating this configuration, attackers can force the system to execute arbitrary commands with the privileges of the Gogs process.

Attack Timeline and Discovery

Wiz Research discovered this vulnerability in July 2025 while investigating a malware infection on a customer's Internet-facing Gogs server. They reported their findings to Gogs maintainers on July 17, 2025.

However, the disclosure timeline reveals concerning delays:

• July 17, 2025: Wiz Research reports the vulnerability
• October 30, 2025: Gogs maintainers acknowledge the report (nearly 3.5 months later)
• November 1, 2025: Second wave of zero-day attacks observed
• Early January 2026: Patches released

During their investigation, Wiz researchers identified over 1,400 Gogs servers exposed online, with 1,250 remaining unpatched and vulnerable. More alarmingly, they found over 700 instances showing signs of compromise.

Federal Mandate and Response

CISA has added CVE-2025-8110 to its Known Exploited Vulnerabilities Catalog and issued Binding Operational Directive (BOD) 22-01 guidance. Federal Civilian Executive Branch (FCEB) agencies—including the Department of Energy, Department of Justice, Department of Homeland Security, and Department of State—must patch by February 2, 2026.

CISA emphasized the severity: "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."

Technical Mitigation Strategies

Immediate Actions for Gogs Administrators

1. Apply Vendor Patches

Gogs has released patches that add symlink-aware path validation at all file-write entry points. Update to the latest version immediately.

2. Disable Open Registration

The default open-registration setting should be disabled to prevent unauthorized user creation. This reduces the attack surface by requiring explicit user provisioning.

3. Implement Network Controls

• VPN Access: Require VPN connections for all Gogs access
• IP Allow Lists: Restrict server access to trusted IP ranges
• Firewall Rules: Block unnecessary external access

Detection and Incident Response

Administrators should investigate their instances for signs of compromise by:

• Monitoring PutContents API usage: Look for suspicious or unusual file write operations
• Checking repository names: Attackers created repositories with random eight-character names during the November 1 attack wave
• Reviewing Git configuration files: Check for unauthorized modifications to sshCommand settings
• Examining system logs: Look for unexpected process execution or file modifications outside repository directories

Broader Implications

This incident highlights several critical security patterns:

Incomplete Patching: The initial fix for CVE-2024-55947 addressed direct path traversal but didn't account for symbolic link abuse, demonstrating how partial fixes can leave systems vulnerable.

Supply Chain Risk: Self-hosted Git services are critical infrastructure for development teams. Compromising these systems provides access to source code, build pipelines, and potentially deployment credentials.

Exposure Management: The discovery of 1,400+ Internet-exposed instances underscores the importance of asset inventory and exposure monitoring. Many organizations deploy services like Gogs for convenience without fully considering security implications.

Recommendations for Organizations

If you're running Gogs or similar self-hosted Git services:

1. Audit your deployment: Identify all instances and their exposure level
2. Patch immediately: Apply the latest Gogs patches that address CVE-2025-8110
3. Review authentication: Implement strong authentication and disable open registration
4. Monitor for exploitation: Check logs for the indicators of compromise mentioned above
5. Consider alternatives: Evaluate whether cloud-hosted Git services with managed security might be more appropriate for your use case

The combination of active exploitation, widespread exposure, and the critical nature of Git services makes this vulnerability particularly dangerous. Organizations should treat this as an urgent priority.

Additional Resources

• Gogs Official Website
• Gogs GitHub Repository
• CISA Known Exploited Vulnerabilities Catalog
• Wiz Research Blog (for detailed technical analysis)

This story continues to develop as more organizations patch their systems and security researchers uncover additional details about the attack campaigns.