CISA’s January additions to the Known Exploited Vulnerabilities catalog are a reminder, not a surprise. A seemingly small flaw in a niche tool can be the wedge that opens a door into enterprise and industrial systems. The addition of the Gogs path traversal and remote code execution issue, CVE-2025-8110, is the latest example.
What CISA added and why it matters
On or around January 12, 2026, CISA moved CVE-2025-8110 into the KEV catalog after evidence of active exploitation surfaced. The catalog move triggers mandatory remediation requirements for federal civilian agencies under BOD 22-01 and signals that every organization should prioritize mitigation.
That same January window also saw HPE OneView’s maximum-severity code injection flaw, CVE-2025-37164, flagged as actively exploited and placed under urgent response guidance. OneView is an orchestration and management layer for servers and storage. A compromise there is not a foot in the door. It is a master key to racks and the automation that runs them.
How the Gogs exploit operates and why non-state actors can use it
The Gogs issue is straightforward and brutal. Improper handling of symbolic links in the PutContents API allows an authenticated user to write outside a repository, overwriting files such as .git/config and triggering remote code execution paths. In plain terms, an attacker with the ability to create or modify a repository can force the host to run code. That simplicity is the problem.
Researchers observed automated campaigns leveraging this flaw and reported hundreds of publicly exposed Gogs instances showing signs of compromise. When exploitation is reproducible and automation-friendly, commercially available or freely available tooling levels the playing field for non-state actors. Groups with limited budgets and modest skill sets can scan, find self-hosted development platforms, and weaponize identical techniques at scale.
Why these kinds of vulnerabilities are a critical infrastructure problem
Two vectors make these catalog additions dangerous for critical infrastructure. First, platform concentration and orchestration tooling. HPE OneView and similar management planes touch hundreds or thousands of systems. Exploiting them gives an attacker orchestration-level control that can be turned into data destruction, ransomware deployment, or operational disruption.
Second, the DevOps surface. Self-hosted Git services like Gogs are part of many organizations’ CI/CD pipelines. When those systems are exposed to the internet or configured with permissive defaults like open registration, they become accessible footholds into build systems and deployment channels. Compromise a build host or CI runner and you can poison artifacts or push malicious code into production. The attacker profile here is not just nation state actors. Criminal groups and opportunistic hackers can and do exploit these vectors quickly.
What defenders should do now — practical and non-negotiable steps
1) Inventory and isolate: Identify every self-hosted development and management platform on your network. Treat orchestration, management, and CI/CD hosts as high-value assets and isolate them on segmented networks with strict egress controls. No exceptions.
2) Remove or restrict internet exposure: If a Gogs instance or similar service does not need to be internet-facing, pull it behind VPN or an allow-list. Open registration and permissive defaults are the most common negligence vectors.
3) Patch and mitigate aggressively: Apply vendor fixes where available. Where patches are not yet available, implement vendor and community mitigations, disable risky features, and increase monitoring of the service. CISA’s KEV entries and vendor advisories should be treated as immediate action items.
4) Hunt and validate: Conduct targeted hunts for indicators described by researchers. Look for unexpected repository names, modified .git/config files, unexpected SSH keys or accounts, webshells, and suspicious outbound connections from developer hosts. Assume compromise until you can prove otherwise.
5) Harden CI/CD and supply chains: Require signed artifacts for production deployments, enforce least privilege for repository and pipeline access, and validate third-party packages. Treat your build system as part of the trusted computing base and protect it accordingly.
6) Lock down management layers: For platforms like HPE OneView, apply vendor patches immediately, restrict management plane IPs, require multi-factor authentication, and monitor automation workflows for anomalous activity. A single orchestration compromise can cascade across infrastructure.
Strategic takeaway
CISA’s January KEV activity will look like a string of tactical problems: one RCE here, one orchestration bug there. It is more than that. It is evidence of a broader dynamic. Low-cost, well-understood exploits that can be automated turn small projects and management tools into force multipliers for non-state actors. Those actors are not picky. They will take the easiest path to high impact. Your defense posture has to reflect that reality. Prioritize management planes and developer-facing services the way you would prioritize control-room ICS assets. If you do not, attackers will use those services to reach into the things you thought were protected.
No drama. Do the work. Patch, isolate, hunt, and harden. The rest is reactive clean up that costs time and reputation.