ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

Summary

A critical remote code execution vulnerability (CVE-2025-0520, CVSS 9.4) in ShowDoc, a document management service popular in China, is under active exploitation. The flaw stems from unrestricted file upload with improper file extension validation, allowing attackers to upload PHP web shells and execute arbitrary code. Despite a patch released in October 2020 (version 2.8.7), over 2,000 vulnerable instances remain online, with exploitation confirmed on a U.S.-based honeypot.

Full text

ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers Ravie LakshmananApr 14, 2026Vulnerability / Network Security A critical security vulnerability impacting ShowDoc, a document management and collaboration service popular in China, has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0520 (aka CNVD-2020-26585), which carries a CVSS score of 9.4 out of 10.0. It relates to a case of unrestricted file upload that stems from improper validation of file extension, allowing an attacker to upload arbitrary PHP files and achieve remote code execution. "[In] ShowDoc version before 2.8.7, an unrestricted and unauthenticated file upload issue is found and [an] attacker is able to upload a web shell and execute arbitrary code on server," according to an advisory released by Vulhub. The vulnerability was addressed in ShowDoc version 2.8.7, which was shipped in October 2020. The current version of the software is 3.8.1. According to new details shared by Caitlin Condon, vice president of security research at VulnCheck, CVE-2025-0520 has come under active exploitation for the first time. The observed exploit involves leveraging the flaw to drop a web shell on a U.S.-based honeypot running a vulnerable version of ShowDoc. Data shared by the company shows that there are more than 2,000 instances of ShowDoc online, most of which are located in China. The development is the latest example of how threat actors are increasingly exploiting N-day security vulnerabilities, regardless of their install base. Users who are running ShowDoc are advised to update to the latest version for optimal protection. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, network security, remote code execution, software security, Threat Intelligence, Vulnerability, web security Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Indicators of Compromise

• cve — CVE-2025-0520

Entities