Key Findings

• Five-year-old ShowDoc vulnerability (CVE-2025-0520) is being actively exploited in global server attacks

• CVSS score of 9.4 indicates critical severity allowing remote code execution and full server takeover

• Unrestricted file upload flaw enables attackers to bypass authentication and deploy web shells without credentials

• Over 2,000 ShowDoc instances remain exposed online, primarily in China, many running unpatched versions

• US-based security canary confirmed active exploitation with web shell deployment

• Patch available since October 2020 (version 2.8.7), but widespread adoption failure leaves systems vulnerable

Background

ShowDoc is a document management and collaboration tool popular among IT teams worldwide, with particular prevalence in China. The software provides centralized document storage and team coordination features. Despite having a smaller user base compared to enterprise giants like Microsoft SharePoint or Atlassian Confluence, ShowDoc maintains a notable presence with over 2,000 internet-exposed instances tracked by security researchers. The platform is built on PHP, which becomes significant when examining how this vulnerability operates.

The Vulnerability Explained

CVE-2025-0520 stems from an unrestricted file upload flaw where ShowDoc fails to validate file types submitted by users. This oversight allows attackers to upload arbitrary PHP files without requiring authentication credentials. Since ShowDoc runs on PHP infrastructure, the server interprets these malicious uploads as legitimate system commands and executes them automatically. Once executed, these files typically contain web shells that grant attackers remote code execution capabilities, enabling complete system compromise and control.

Active Exploitation Details

Security researchers from VulnCheck recently detected active exploitation of this vulnerability in the wild. Their monitoring systems identified the flaw being weaponized against internet-exposed targets globally. A particularly telling case involved a deliberately vulnerable ShowDoc instance running on a US-based security canary—a honeypot designed specifically to alert defenders when attacked. The canary was hit by attackers who successfully deployed a web shell, confirming the vulnerability remains actively exploitable and that threat actors continue actively seeking unpatched systems.

The Patching Problem

ShowDoc released the security fix in version 2.8.7 back in October 2020, over five years ago. However, the critical gap between patch release and adoption has created a persistent security crisis. Many organizations either failed to update their installations or simply abandoned the software without removing it from production. This pattern represents what security researchers call an N-day vulnerability situation, where old but known flaws remain dangerous because patch management often falls behind in real-world deployments. The latest secure version, ShowDoc 3.8.1, remains available but many users continue operating vulnerable installations.

Why This Matters

Will Baxter, Head of Architecture and Platform at Team Cymru, points out that attackers deliberately target these overlooked vulnerabilities as quiet entry points into exposed systems. Software with small user bases often falls outside major security monitoring efforts, making them ideal staging grounds for attackers. Once inside a compromised ShowDoc server, threat actors can pivot to other systems, establish command-and-control infrastructure, or simply maintain persistent access undetected. The limited visibility organizations have into these less-prominent tools compounds the problem, as many teams remain unaware their ShowDoc instances are even exposed to the internet.

Immediate Action Required

Organizations currently using ShowDoc must prioritize updating to version 3.8.1 immediately. The high CVSS score of 9.4 reflects the severity of unrestricted remote code execution threats. Those unable to update should consider taking vulnerable instances offline until patches can be deployed. External security monitoring and asset discovery tools are essential for identifying ShowDoc installations that may have escaped internal visibility, particularly since many deployments exist in China where this tool is most prevalent but may not receive the same security attention as major global platforms.

Sources

• https://hackread.com/showdoc-vulnerability-patch-2020-server-takeover/

• https://www.news4hackers.com/showdoc-vulnerability-exploited-in-recent-server-attacks-patch-released-in-2020/

• https://x.com/Dinosn/status/2045522645857296871

• https://www.reddit.com/r/pwnhub/comments/1sp3tzd/old_showdoc_vulnerability_now_targeted_for_active/

• https://www.linkedin.com/posts/lewiscombs_showdoc-vulnerability-patched-in-2020-now-activity-7451334103708254208-JU4G