Ethical Hacking News
CISA has ordered federal civilian executive branch agencies to patch a high-severity Gogs vulnerability that was exploited in zero-day attacks, with over 1,400 servers remaining exposed online. To mitigate this risk, CISA advises users to disable open-registration and limit server access using a VPN or an allow list.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert to federal civilian executive branch agencies regarding a remote code execution (RCE) flaw in Gogs.The vulnerability, CVE-2025-8110, stems from a path traversal weakness in the PutContents API, allowing authenticated attackers to bypass protections implemented for a previously patched RCE bug.Over 1,400 Gogs servers remain exposed, with over 700 instances showing signs of compromise.CISA has ordered FCEB agencies to patch within three weeks by February 2, 2026, to mitigate the vulnerability.Admins are advised to disable default open-registration and limit server access using a VPN or allow list to prevent exploitation.Patching is crucial due to the widespread exposure of Gogs servers online, and organizations should implement robust security measures to prevent similar instances of zero-day attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert to federal civilian executive branch agencies, ordering them to patch the Gogs remote code execution (RCE) flaw (CVE-2025-8110) that was exploited in zero-day attacks. The vulnerability stems from a path traversal weakness in the PutContents API and allows authenticated attackers to bypass protections implemented for a previously patched RCE bug (CVE-2024-55947). This recent exploit is not an isolated incident, as Wiz Research discovered the vulnerability while investigating a malware infection affecting a customer's Internet-facing Gogs server in July, and reported it to Gogs maintainers on July 17. The vulnerability was acknowledged by Gogs maintainers three months later, on October 30, and patches were released last week that add symlink-aware path validation at all file-write entry points.
The patching process is critical due to the widespread exposure of Gogs servers online. According to a disclosure timeline shared by Wiz Research, over 1,400 Gogs servers remain exposed (1,250 of which are still vulnerable), and more than 700 instances show signs of compromise. The zero-day attacks targeting this vulnerability were observed on November 1, with threat actors using the PutContents API to overwrite files outside the repository, thus allowing them to execute arbitrary commands.
The severity of this RCE flaw was compounded by its potential impact on systems already vulnerable due to previous exploitation attempts. Attackers can use this flaw by creating repositories containing symbolic links pointing to sensitive system files and writing data through the symlink using the PutContents API, thereby overwriting targets outside the repository. By overwriting Git configuration files, specifically the sshCommand setting, threat actors can force target systems to execute arbitrary commands.
This is not an isolated incident of a Gogs vulnerability being exploited in zero-day attacks; it follows other instances where such flaws have been used by attackers to breach vulnerable systems. The U.S. Department of Defense's annual cyber report highlighted that vulnerabilities were exploited by adversaries, with the goal of demonstrating attack vectors and methods for potential future use.
CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to patch within three weeks, by February 2, 2026. FCEB agencies are non-military U.S. executive branch agencies, including the Department of Energy, the Department of Justice, the Department of Homeland Security, and the Department of State. This order reflects CISA's commitment to keeping federal systems secure and protecting against potential cyber threats.
To mitigate this vulnerability, Gogs users are advised to disable the default open-registration setting immediately and limit server access using a VPN or an allow list. Additionally, admins should check for signs of compromise on their Gogs instance by looking for suspicious use of the PutContents API and repositories with random eight-character names created during the two attack waves.
The patching process is crucial in this situation due to the widespread exposure of Gogs servers online. By applying mitigations per vendor instructions or discontinue using the product if mitigations are unavailable, CISA aims to reduce the attack surface for FCEB agencies and protect against potential zero-day attacks. Furthermore, by securing their systems against this vulnerability, federal civilian executive branch agencies can safeguard against further exploitation attempts.
In recent times, vulnerabilities like CVE-2025-8110 have underscored the importance of proactive patching and security measures to prevent exploitation in the wild. As attackers continue to exploit zero-day flaws in search of vulnerabilities to breach secure systems, it's crucial that organizations take immediate action to secure their infrastructure against such threats.
The recent experience with Gogs serves as a reminder of the ever-evolving threat landscape and the need for continuous vigilance on the part of cybersecurity professionals and security teams. With widespread exposure of vulnerable servers and ongoing zero-day attacks exploiting CVE-2025-8110, patching is now imperative to safeguard against potential cyber threats.
Furthermore, this highlights the critical role that agencies like CISA play in mitigating risks associated with vulnerabilities in widely used software products like Gogs. By issuing high-priority alerts and taking swift action to secure federal systems, CISA helps reduce the attack surface for vulnerable organizations, thereby minimizing the risk of exploitation.
This vulnerability also underscores the importance of monitoring and scanning for exposed servers that are susceptible to such threats. Organizations should implement robust security measures to prevent similar instances of zero-day attacks on their infrastructure.
In conclusion, the recent Gogs RCE flaw (CVE-2025-8110) serves as a stark reminder of the ever-present threat landscape in cybersecurity. The swift action taken by CISA and the proactive measures being implemented by FCEB agencies underscore the importance of staying vigilant against potential cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Orders-Feds-to-Patch-Gogs-RCE-Flaw-Exploited-in-Zero-Day-Attacks-Amidst-Widespread-Vulnerability-Exposures-ehn.shtml
https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-gogs-rce-flaw-exploited-in-zero-day-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-8110
https://www.cvedetails.com/cve/CVE-2025-8110/
https://nvd.nist.gov/vuln/detail/CVE-2024-55947
https://www.cvedetails.com/cve/CVE-2024-55947/
Published: Mon Jan 12 14:17:54 2026 by llama3.2 3B Q4_K_M
