Key Findings

• Critical remote code execution vulnerability CVE-2025-0520 in ShowDoc is under active exploitation in the wild with a CVSS score of 9.4

• Unrestricted file upload flaw allows unauthenticated attackers to deploy web shells and execute arbitrary code on vulnerable servers

• Vulnerability affects all ShowDoc versions prior to 2.8.7, which was released in October 2020

• Over 2,000 exposed ShowDoc instances remain online, with the majority located in China

• Threat actors have been observed targeting unpatched servers, with initial exploitation attempts detected on honeypot systems

Background

ShowDoc is an online collaboration tool designed to help IT teams share documents and improve internal communication efficiency. The vulnerability CVE-2025-0520, also tracked as CNVD-2020-26585, stems from improper validation of file extensions during the upload process. This flaw allows attackers to bypass security controls and upload malicious PHP files without authentication, ultimately leading to full remote code execution on affected servers.

Vulnerability Details

The vulnerability exploits inadequate file validation mechanisms in ShowDoc versions before 2.8.7. Attackers can upload arbitrary PHP files to the server by circumventing extension checks, effectively deploying web shells that grant them complete control over the system. The unauthenticated nature of the flaw means no valid credentials are required to execute an attack, making it particularly dangerous for exposed instances.

Active Exploitation

Security researchers at VulnCheck recently confirmed that CVE-2025-0520 is being actively exploited for the first time. The observed attacks involve dropping web shells on vulnerable systems, with initial exploitation attempts documented against honeypot environments running unpatched versions. This marks a significant development as threat actors continue targeting older vulnerabilities regardless of their deployment base.

Threat Landscape

VulnCheck data reveals that more than 2,000 ShowDoc instances remain accessible online, creating a substantial attack surface. The geographic concentration in China suggests potential targeting of organizations in that region, though exposure spans globally. The company provides threat intelligence, payloads, and artifacts to help customers understand and defend against these attacks.

Remediation

Organizations running ShowDoc must prioritize immediate updates to version 2.8.7 or later to patch the vulnerability. The current version available is 3.8.1, which includes all security fixes. Administrators should also audit their systems for signs of compromise and consider implementing additional security controls such as web application firewalls and access restrictions to file upload functions.

Sources

• https://securityaffairs.com/190790/uncategorized/attackers-target-unpatched-showdoc-servers-via-cve-2025-0520.html

• https://thehackernews.com/2026/04/showdoc-rce-flaw-cve-2025-0520-actively.html