A high-severity, unpatched vulnerability in the Gogs self-hosted Git service is being tracked as CVE-2025-8110. With a CVSS score of 8.7, it is under active exploitation, with more than 700 compromised instances exposed on the internet. Review this Cybersecurity Threat Advisory now to protect you and your clients’ environments.
What is the threat?
The unpatched vulnerability in Gogs, CVE-2025-8110, allows attackers to exploit a flaw in the file update API to overwrite arbitrary files outside of repositories, enabling remote code execution (RCE). In practical terms, this gives malicious actors full control of the affected server. Once compromised, attackers can steal source code, implant backdoors or malware, and use the server as a launchpad for deeper network infiltration.
Why is it noteworthy?
This is a zero-day flaw that is already being actively exploited in the wild, with more than 700 Gogs instances already compromised. The scale of exploitation demonstrates how quickly attackers moved to weaponize the bug once it was discovered, and the fact that no official patch is yet available leaves organizations exposed and reliant only on temporary mitigations. Beyond the immediate compromises, the vulnerability poses a serious supply chain risk, since Gogs is widely used to host source code repositories, meaning attackers could steal proprietary code or inject malicious changes into projects. It’s also a regression of a previously patched issue, highlighting the challenges of secure software maintenance and the potential for old vulnerabilities to resurface in new forms.
What is the exposure or risk?
Successful exploitation grants attackers full control of the server. Risks include:
- Source code theft of proprietary projects.
- Malicious code injection, compromising downstream software supply chains.
- Persistent access via backdoors or malware.
- Lateral movement into internal networks.
With hundreds of compromised instances already online, organizations using self-hosted Git services face systemic risk.
What are the recommendations?
Barracuda recommends the following actions to reduce exposure:
- Limit Gogs servers to trusted networks; avoid direct internet exposure.
- Apply Workarounds:
- Disable public account creation if unnecessary.
- Place Gogs behind a VPN or enforce IP allowlists.
- Monitor for suspicious repositories (e.g., random 8-character names) or unusual API calls.
- Watch for unauthorized file changes or anomalous activity.
- Apply the official patch as soon as it’s released.
- If compromise is suspected, isolate the server, rotate credentials, and perform a forensic review.
- Audit repositories for unauthorized changes.
- Move critical workloads to secure platforms until the vulnerability is resolved.
References
For more in-depth information about the recommendations, please visit the following links:
- Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog
- Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks
- Gogs 0-Day Vulnerability Exploited in the Wild to Hack 700+ Instances
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.