CVE-2025-8110 IBM QRadar · QRadar

Detect Gogs Path Traversal Vulnerability (CVE-2025-8110) in IBM QRadar

Detects exploitation attempts targeting CVE-2025-8110, a path traversal vulnerability (CWE-22) in Gogs self-hosted Git service. Attackers can craft malicious HTTP requests containing directory traversal sequences to read arbitrary files outside the intended web root, potentially exposing sensitive configuration files, SSH keys, or repository data. This vulnerability is listed in the CISA KEV catalog indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Credential Access Collection

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip,
  destinationip,
  URL,
  'HTTP_METHOD' AS http_method,
  starttime,
  eventcount,
  logsourcename(logsourceid) AS log_source
FROM events
WHERE
  category = 'HTTP' OR logsourcetypename(devicetype) ILIKE '%web%' OR logsourcetypename(devicetype) ILIKE '%proxy%'
  AND (
    URL ILIKE '%../%' OR
    URL ILIKE '%..\\%' OR
    URL ILIKE '%2e%2e%2f%' OR
    URL ILIKE '%2e%2e/%' OR
    URL ILIKE '%252e%252e%' OR
    URL ILIKE '%2e%2e%5c%'
  )
  AND (
    URL ILIKE '%app.ini%' OR
    URL ILIKE '%etc/passwd%' OR
    URL ILIKE '%etc/shadow%' OR
    URL ILIKE '%id_rsa%' OR
    URL ILIKE '%.ssh%' OR
    URL ILIKE '%conf/app.ini%'
  )
  AND LOGSOURCETIME(starttime) > NOW() - 1 HOURS
ORDER BY starttime DESC
LAST 1 HOURS
critical severity medium confidence

QRadar AQL query to identify path traversal attack patterns in HTTP logs targeting Gogs server paths, including both raw and URL-encoded traversal sequences combined with sensitive file target indicators.

Data Sources

QRadar web log sourcesProxy log sourcesIDS/IPS event feeds

Required Tables

events

False Positives & Tuning

  • Authorized vulnerability scans or web application assessments that include traversal test cases
  • Legitimate integrations using URL encoding in file paths that superficially match traversal patterns
  • QRadar log source misclassification causing non-HTTP events to be queried
  • Repository names or branches containing dot sequences that appear in HTTP logs

Other platforms for CVE-2025-8110

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Basic Gogs Path Traversal - Read app.ini

    Expected signal: HTTP GET requests to Gogs port (3000) with ../ and %2e%2e sequences in URI visible in access logs; 200 response with app.ini content if vulnerable, 400/403/404 if patched or WAF blocks

  2. Test 2Gogs Path Traversal - SSH Key Extraction

    Expected signal: HTTP requests with mixed encoding traversal patterns (%2f for /) targeting .ssh and id_rsa paths; response codes and body sizes indicate exploitation success or failure

  3. Test 3Automated Gogs Traversal Scan with Multiple Encoding Variants

    Expected signal: Burst of HTTP requests from single source IP within seconds, each containing different encoding variants of traversal sequences; some requests may return 200 with file content if instance is vulnerable

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-8110 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential AccessTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1005Data from Local System

Same Tactic: Initial Access

Popular Detections