CVE-2025-8110 is a critical vulnerability affecting
Gogs, a self-hosted Git service written in Go. The vulnerability has been actively exploited in the wild, leading to its inclusion in the
CISA Known Exploited Vulnerabilities (KEV) catalog on January 12, 2026.
Here's a breakdown of what is known about its exploitation:
- Internet-Facing Applications/Services: The vulnerability primarily affects internet-facing Gogs instances. Wiz research identified over 700 compromised instances publicly accessible on the internet as of December 1, 2025. [1]
- Evidence of Active Exploitation: Active exploitation is ongoing, with reports indicating that over 700 Gogs instances have been compromised. [1][4] CISA's addition of CVE-2025-8110 to its KEV catalog on January 12, 2026, further confirms real-world exploitation. [2]
- Attack Vectors and Exploitation Methods: The vulnerability stems from an improper handling of symbolic links in Gogs' PutContents API. [3] This flaw allows authenticated users to overwrite files outside of a repository, directly leading to Remote Code Execution (RCE). [1][3] It functions as a bypass for a previously patched RCE vulnerability, CVE-2024-55947, where the fix did not account for symbolic links within Git repositories. [7][8]
- Targeted Attacks: While specific threat actors and attack methodologies are not fully disclosed, the active exploitation status indicates that this vulnerability is being used in real-world attacks, moving beyond theoretical concerns. [2]
- CISA Known Exploited Vulnerabilities Status: CVE-2025-8110 has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog on January 12, 2026. [5]
- Technical Details about Internet Exploitability: The vulnerability allows authenticated users to achieve RCE by exploiting a symlink bypass in the file update API. [1][6] This enables them to overwrite files outside the intended repository, making it a significant threat to internet-facing Gogs installations. [1] The vulnerability has a CVSS v4.0 score of 8.7. [3] A patch for this specific vulnerability was not immediately available as of December 2025, though a fix was reportedly in the works. [1][4]
-
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
A symlink bypass (CVE-2025-8110) of a previously patched RCE (CVE-2024-55947) allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution (RCE). We identified over 700 compromised instances public-facing on the internet. As of December 1, 2025, active explo…
-
CISA Warns of Actively Exploited Gogs Path Traversal Vulnerability
Active Exploitation and CISA’s Response CISA’s inclusion of CVE-2025-8110 in its KEV catalog on January 12, 2026, signals that real-world exploitation is already underway. While the specific threat actors and attack methodologies remain undisclosed, the active exploitation status elevates this vulne…
-
CISA Flags Actively Exploited Gogs Vulnerability With No Patch
Tracked as CVE-2025-8110 and rated 8.7 on the CVSS v4.0 scale, the vulnerability stems from improper handling of symbolic links in Gogs’ PutContents API. The flaw allows authenticated users to overwrite files outside a repository, which can lead directly to remote code execution (RCE). Exploitation…
-
Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks
A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz. The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update…
-
CISA Adds One Known Exploited Vulnerability to Catalog
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding ...