CISA Orders Federal Agencies to Patch Critical Gogs RCE Vulnerability (CVE-2024-3990) Exploited in Zero-Day Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive ordering US federal agencies to patch a critical remote code execution (RCE) vulnerability in Gogs, a popular self-hosted Git repository management system. Tracked as CVE-2024-3990, this high-severity flaw allows unauthenticated attackers to execute arbitrary code on vulnerable servers and has been actively exploited in zero-day attacks before being patched. The directive, issued under binding operational directive BOD 22-01, gives agencies until June 11, 2024 to apply mitigations. Gogs versions prior to 0.13.0 are affected, though no official patch exists at this time. The maintainers recommend upgrading to the latest version as the primary mitigation strategy. This vulnerability poses significant risks as Gogs is often used in development environments, potentially enabling supply chain attacks if exploited. The exploitation was discovered by security researchers at SonarSource, though details about specific attacks or threat actors remain undisclosed. Federal agencies and private organizations using Gogs should prioritize immediate upgrading to prevent potential compromise of their source code repositories and development infrastructure.