CISA Orders Feds to Patch Gogs RCE Flaw Exploited in Zero-Day Attacks

Gogs, an open‑source Git service written in Go, has gained popularity as a lightweight alternative to GitLab and GitHub Enterprise, especially for internal collaboration and self‑hosted deployments. Because it is often exposed to the internet for remote development, any security flaw can quickly become a vector for large‑scale exploitation. The newly disclosed CVE‑2025‑8110 exemplifies this risk: a path‑traversal bug in the PutContents API lets an authenticated user write arbitrary files outside the repository, effectively bypassing earlier safeguards. In a landscape where software supply‑chain attacks are on the rise, such vulnerabilities attract heightened scrutiny from both researchers and regulators.

Wiz Research first identified the flaw while tracing a malware infection on a public Gogs instance in July, and the vendor released a patch only after a three‑month delay. In the interim, threat actors launched a coordinated zero‑day campaign on November 1, leveraging symbolic links to overwrite critical Git configuration files such as sshCommand, which can trigger arbitrary command execution. Investigations revealed more than 1,400 internet‑exposed Gogs servers, with over 700 showing evidence of compromise, underscoring the rapid spread of the exploit across diverse sectors.

CISA’s directive compels all Federal Civilian Executive Branch agencies to install the patch by February 2 2026, aligning with the agency’s broader effort to harden cloud‑based development tools under BOD 22‑01. Administrators are also urged to disable the default open‑registration setting, enforce VPN or IP allow‑list controls, and monitor the PutContents API for anomalous activity. While the immediate focus is on federal infrastructure, the advisory serves as a cautionary signal for private enterprises that rely on Gogs or similar self‑hosted Git platforms: timely patching and strict access controls are essential to prevent similar RCE incidents.