Gogs Path Traversal CVE-2025-8110: Active Exploitation Prompts CISA KEV Inclusion
Executive Summary
In January 2026, CISA issued an alert adding CVE-2025-8110 to its Known Exploited Vulnerabilities Catalog after confirming active exploitation of a critical path traversal vulnerability in Gogs, a popular self-hosted Git service. Threat actors leveraged this flaw to bypass directory security controls, allowing unauthorized access to sensitive files and potentially facilitating lateral movement, data exfiltration, or the deployment of malicious code in affected federal and private sector organizations. In accordance with Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies were ordered to remediate this vulnerability immediately to stem ongoing exploitation risks and protect government infrastructure.
The ongoing exploitation of CVE-2025-8110 highlights a growing trend of attackers targeting unmanaged or overlooked developer infrastructure for initial access. The incident underscores regulatory and operational pressure for timely vulnerability management and demonstrates the criticality of securing east-west application flows.
Why This Matters Now
CVE-2025-8110's inclusion in CISA's KEV Catalog indicates that attackers are actively exploiting this flaw in the wild, placing any unpatched Gogs instances at immediate risk of compromise. Its ease of exploitation, impact on source code repositories, and regulatory urgency make rapid patching and segmented network controls crucial for prevention.
Attack Path Analysis
Attackers exploited the Gogs path traversal vulnerability to gain initial access to a vulnerable cloud workload. After compromising the service, they sought to escalate privileges for broader access within the hosting environment. Moving laterally via cloud network pathways, attackers targeted additional services and internal resources. They established command & control through outbound network connections, maintaining persistence and remote operation capability. Sensitive data was exfiltrated from affected workloads via unauthorized outbound data flows. Ultimately, the attacker could disrupt services or deploy destructive payloads, causing operational impact.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited the publicly-exposed Gogs path traversal vulnerability (CVE-2025-8110) to remotely execute code and gain a foothold in the cloud environment.
Related CVEs
CVE-2025-8110
CVSS 8.7Improper symbolic link handling in the PutContents API in Gogs allows local execution of code.
Affected Products:
Gogs Gogs – <= 0.13.0
Exploit Status:
exploited in the wildCVE-2024-44625
CVSS 7.5Gogs <=0.13.0 is vulnerable to directory traversal via the editFilePost function of internal/route/repo/editor.go.
Affected Products:
Gogs Gogs – <= 0.13.0
Exploit Status:
proof of conceptCVE-2022-1884
CVSS 10A remote command execution vulnerability exists in Gogs versions <=0.12.7 when deployed on a Windows server due to improper validation of the tree_path parameter during file uploads.
Affected Products:
Gogs Gogs – <= 0.12.7
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Command and Scripting Interpreter
System Services
Network Service Discovery
Exploitation of Remote Services
Remote Services
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components and Software
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA – ICT Risk Management Framework
Control ID: Article 9(2)
CISA ZTMM 2.0 – Vulnerability Management
Control ID: Asset Management-2
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Gogs path traversal vulnerability directly impacts software development environments, requiring immediate patching of version control systems and enhanced security controls.
Government Administration
Federal agencies face BOD 22-01 compliance requirements for CVE-2025-8110 remediation, with significant risk to government networks and infrastructure security.
Financial Services
Path traversal exploits threaten financial data integrity and compliance frameworks, necessitating zero trust segmentation and encrypted traffic monitoring capabilities.
Health Care / Life Sciences
Healthcare organizations must address vulnerability exploitation risks affecting HIPAA compliance, requiring enhanced threat detection and secure hybrid connectivity solutions.
Sources
- CISA Adds One Known Exploited Vulnerability to Cataloghttps://www.cisa.gov/news-events/alerts/2026/01/12/cisa-adds-one-known-exploited-vulnerability-catalogVerified
- NVD - CVE-2025-8110https://nvd.nist.gov/vuln/detail/CVE-2025-8110Verified
- Wiz Research: Gogs CVE-2025-8110 RCE Exploithttp://wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploitVerified
- NVD - CVE-2024-44625https://nvd.nist.gov/vuln/detail/CVE-2024-44625Verified
- Unpatched Remote Code Execution in Gogshttps://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs/Verified
- NVD - CVE-2022-1884https://nvd.nist.gov/vuln/detail/CVE-2022-1884Verified
- Vulnerability Summary for the Week of November 11, 2024 | CISAhttps://www.cisa.gov/news-events/bulletins/sb24-323Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Zero Trust segmentation, robust egress controls, anomaly detection, and workload isolation would have minimized propagation, detected abnormal behaviors, and prevented data exfiltration following exploitation of the vulnerable workload.
Control: Cloud Firewall (ACF)
Mitigation: Potentially blocks or restricts external attack traffic targeting vulnerable services.
Control: Zero Trust Segmentation
Mitigation: Limits escalation by enforcing least privilege network access among cloud workloads.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized workload-to-workload communication.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks suspicious outbound command and control attempts.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks signatures of data exfiltration and unauthorized transfers.
Rapid detection and alerting of disruptive activities enable swift containment.
Impact at a Glance
Affected Business Functions
- Version Control Systems
- Software Development
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of source code repositories and sensitive configuration files.
Recommended Actions
Key Takeaways & Next Steps
- • Apply vulnerability management rigorously to remediate all KEV-listed vulnerabilities such as CVE-2025-8110.
- • Enforce zero trust segmentation and microsegmentation to limit lateral movement post-compromise.
- • Deploy layered egress filtering and outbound policy controls to prevent unauthorized data flow and C2 communications.
- • Implement inline intrusion prevention and anomaly-based detection to rapidly identify and contain malicious behaviors.
- • Enhance centralized visibility and policy management to monitor, audit, and enforce cloud security controls across all environments.
