The US Cybersecurity and Infrastructure Security Agency (CISA) has told federal agencies to stop using Gogs or immediately apply mitigations after adding a high-severity vulnerability in the self-hosted Git service to its Known Exploited Vulnerabilities (KEV) catalog.
The fact that the flaw was added to the KEV list has triggered urgent remediation requirements for federal agencies. According to CISA, the vulnerability, tracked as CVE-2025-8110, is being weaponized in cyberattacks.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA said in an alert, adding that the agencies should stop using the product – Gogs – if workarounds aren’t available.
The move was coming, to be fair. That’s because, as early as last year, Wiz security researchers accidentally detected the flaw while investigating malware on an infected machine.
The flaw allows authenticated users to bypass protections and overwrite arbitrary files on the host system, effectively granting remote code execution. More than 700 internet-exposed Gogs instances were already confirmed compromised in ongoing attacks at the time of disclosure in December.
Gogs – a lightweight, self-hosted Git server written in Go, designed to be a simple, fast, and easy-to-install alternative to GitHub or GitLab for managing your own code repositories – has yet to ship a fix for the bug.
Since Gogs is really popular among developers for its ease of deployment and minimal resource usage, users are now scrambling for stopgaps such as disabling open registration and shielding behind VPNs.
CISA regulations require federal agencies to remediate identified vulnerabilities by the due date to protect their networks against active threats.
Wiz researchers said CVE-2025-8110 was effectively a bypass for an earlier RCE vulnerability, CVE-2024-55947, and noted: “Unfortunately, the fix implemented for the previous CVE did not account for symbolic links.”
Federal agencies now have to take action. CISA regulations require Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
Threat hunters haven’t attributed the attacks to a particular person or group. But Yaara Shriki, a Wiz researcher, told The Register: “Our assumption, based on threat actors using Supershell C2, is that they are located in Asia.”
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked