ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

A critical security vulnerability impacting ShowDoc, a document management and collaboration service popular in China, has come under active exploitation in the wild.

The vulnerability in question is CVE-2025-0520 (aka CNVD-2020-26585), which carries a CVSS score of 9.4 out of 10.0.

It relates to a case of unrestricted file upload that stems from improper validation of file extension, allowing an attacker to upload arbitrary PHP files and achieve remote code execution.

“[In] ShowDoc version before 2.8.7, an unrestricted and unauthenticated file upload issue is found and [an] attacker is able to upload a web shell and execute arbitrary code on server,” according to an advisory released by Vulhub. 

The vulnerability was addressed in ShowDoc version 2.8.7, which was shipped in October 2020. The current version of the software is 3.8.1.

According to new details shared by Caitlin Condon, vice president of security research at VulnCheck, CVE-2025-0520 has come under active exploitation for the first time.

The observed exploit involves leveraging the flaw to drop a web shell on a U.S.-based honeypot running a vulnerable version of ShowDoc. Data shared by the company shows that there are more than 2,000 instances of ShowDoc online, most of which are located in China.

The development is the latest example of how threat actors are increasingly exploiting N-day security vulnerabilities, regardless of their install base. Users who are running ShowDoc are advised to update to the latest version for optimal protection.