ShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers

Summary

A 5-year-old unrestricted file upload vulnerability (CVE-2025-0520, CVSS 9.4) in ShowDoc, a document collaboration tool, is being actively exploited by threat actors to deploy web shells and achieve remote code execution. Despite a patch released in October 2020, over 2,000 exposed ShowDoc instances remain unpatched worldwide, primarily in China, with confirmed exploitation detected on a U.S.-based honeypot server.

Full text

SecurityShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers Hackers are exploiting a 5-year-old ShowDoc vulnerability (CVE-2025-0520) to deploy web shells, enabling RCE and full server takeover worldwide. byDeeba AhmedApril 18, 20263 minute read A security flaw fixed over five years ago is being targeted by hackers again now. This vulnerability is found in ShowDoc, a tool used by IT teams to manage documents and mutual collaboration. ShowDoc is most popular in China, but recent attacks show that threat actors are finding ways to exploit it globally. A Backdoor Into Servers The vulnerability, tracked as CVE-2025-0520 with a high CVSS score of 9.4 out of 10, is an unrestricted file upload flaw. This occurs when the system fails to check what type of files users are sending to it. If exploited, this mistake allows hackers to upload their own PHP files to a server without needing a username or password. For your information, PHP files often contain a web shell, which is code that lets an unauthorised individual run commands on a computer remotely, a technique called remote code execution (RCE), and allows threat actors to take full control of the system. ShowDoc is built using the PHP programming language, and that’s why the server sees these uploaded files as legitimate system instructions and executes them. Attack Details According to the latest reports, hackers are actively exploiting this bug against servers worldwide. One such attack was spotted hitting a US-based canary, a highly sensitive trap designed to alert security teams the moment it is touched. In this case, the canary was running an old version of ShowDoc to see if hackers would take the bait Even though the software has a small user base compared to giant tech brands like Microsoft SharePoint or Atlassian Confluence, there are still more than 2,000 instances of ShowDoc visible on the internet, most of which are located in China. Protecting Your Data Originally, this bug was found in ShowDoc versions released before October 2020, and to stop its exploitation, the company released a fix in version 2.8.7. However, many users never installed the newer version, and this generates a security crisis as many systems still run old software that hasn’t been updated in years. Caitlin Condon, the VP of Security Research at VulnCheck, shared in an update that their systems detected this flaw being exploited in the wild only recently. “Our team’s ASM queries show 2,000+ instances of ShowDoc online, primarily in China. The VulnCheck-observed exploit dropped a webshell on a U.S.-based Canary running the vulnerable software,” Condon’s post read. She also noted that it is apparently linked to the current trend where hackers target N-day vulnerabilities. For your information, N-days are old, known bugs that stay active because people forget to patch their systems. So, if you use ShowDoc, the only way to stay safe is to update to the latest version- ShowDoc 3.8.1. Source: VulnCheck Expert’s Analysis In a comment shared with Hackread.com, Will Baxter, Head of Architecture & Platform and Field CISO at Team Cymru, explained why these attacks are so dangerous. Baxter mentioned that this activity shows how attackers use old vulnerabilities as quiet entry points. He noted that even software with a small number of users can be valuable for hackers to use as a base for further attacks once they get inside. “This activity highlights how attackers continue to exploit long-tail vulnerabilities as quiet entry points into exposed systems. Even software with a small install base can become valuable infrastructure for staging, pivoting, or command-and-control activity once compromised. The challenge is that these assets often fall outside an organization’s immediate visibility, which is why defenders need external intelligence to understand how their infrastructure appears and behaves on the open internet.” Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts ChinaCybersecurityPHPRCEShowDocVulnCheckVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Malware Scams and Fraud Fake Bitwarden Password Manager Website Drops Windows ZenRAT If you’ve installed Bitwarden Password Manager recently, ensure that you downloaded it from its official website and not… byDeeba Ahmed Read More Data Breaches Cyber Attacks Cyber Crime Security ShinyHunters Claims Rockstar Games Snowflake Breach via Anodot ShinyHunters claims access to Rockstar Games Snowflake data via Anodot breach, threatening a data leak on April 14 if ransom demands are not met. byWaqas Read More Security PayPal Sued Over Data Breach that Impacted 35,000 users If the case proceeds as a class action, it could potentially represent thousands of affected individuals seeking damages from PayPal. byWaqas Cyber Crime Malware Phishing Scam Scams and Fraud Security 7 Cases When Victims Paid Ransom to stop cyber attacks These cases include ransomware infection and DDoS attacks! Enjoy byWaqas

Indicators of Compromise

• cve — CVE-2025-0520

Entities