ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers
ثغرة خطيرة (Remote Code Execution) CVE-2025-0520 كيتستغلوها الهاكرز دابا فـ ShowDoc Servers
Critical Remote Code Execution Flaw CVE-2025-0520 Actively Exploited on ShowDoc Servers
TL;DR
Threat actors are now actively exploiting CVE-2025-0520, a critical remote code execution (RCE) vulnerability in ShowDoc. Despite a patch being available since 2020, unpatched servers are being targeted with web shell uploads. Users are urged to upgrade to the latest version immediately to prevent compromises.
Introduction
The cybersecurity landscape is seeing a resurgence in the exploitation of "N-day" vulnerabilities—flaws for which patches have existed for years but remain unapplied by organizations. The latest target is ShowDoc, a document management and collaboration platform widely used in China.
Recent reports indicate that attackers are actively leveraging a critical flaw, tracked as CVE-2025-0520, to seize control of vulnerable servers.
Understanding CVE-2025-0520
CVE-2025-0520 (also known as CNVD-2020-26585) is an unrestricted file upload vulnerability with a CVSS score of 9.4, marking it as critical.
The flaw stems from improper validation of file extensions. Because the application fails to verify the types of files being uploaded, an unauthenticated attacker can upload arbitrary PHP files to the server. According to an advisory from Vulhub, this allows an attacker to plant a web shell, leading to full remote code execution (RCE).
Active Exploitation in the Wild
While the vulnerability has been known for several years, new data from Caitlin Condon, vice president of security research at VulnCheck, confirms that it has entered a phase of active exploitation.
Security researchers observed attackers utilizing the flaw to drop web shells on a U.S.-based honeypot running an outdated version of ShowDoc. This activity signals that threat actors are scanning the internet for low-hanging fruit—systems that have failed to implement years-old security updates.
Global Exposure
ShowDoc is a popular tool for technical documentation, particularly within Chinese tech ecosystems. Current data reveals:
- There are currently over 2,000 instances of ShowDoc accessible online.
- The majority of these instances are located in China.
The exploitation of this flaw underscores a growing trend where attackers bypass the "hype" of zero-day exploits to focus on older, reliable vulnerabilities where the "patch gap" remains wide.
Remediation and Recommendations
The vulnerability was officially addressed in ShowDoc version 2.8.7, which was released in October 2020. However, many administrators have clearly failed to update in the intervening years.
The current version of the software is 3.8.1. Security experts strongly advise all users and organizations running ShowDoc to:
- Verify the current version of their installation.
- Update to version 3.8.1 or the most recent stable release immediately.
- Audit servers for any unauthorized PHP files or suspicious web shells that may have been planted during the period of vulnerability.
Conclusion
The exploitation of CVE-2025-0520 is a stark reminder that a vulnerability's age does not decrease its risk. As long as unpatched instances remain online, threat actors will continue to utilize well-documented flaws to gain unauthorized access to infrastructure.
Source: https://thehackernews.com/2026/04/showdoc-rce-flaw-cve-2025-0520-actively.html
