A critical remote code execution vulnerability in ShowDoc is being actively exploited in the wild, allowing attackers to upload malicious PHP files and gain full server control.
A critical security vulnerability in ShowDoc, a popular document management and collaboration platform widely used in China, is now being actively exploited in the wild, according to new research from security firm VulnCheck.
Critical Vulnerability Details
The vulnerability, tracked as CVE-2025-0520 (also known as CNVD-2020-26585), carries a CVSS score of 9.4 out of 10.0, indicating its severity. The flaw stems from an unrestricted file upload vulnerability that occurs due to improper validation of file extensions.
Specifically, versions of ShowDoc before 2.8.7 fail to properly validate uploaded files, allowing attackers to upload arbitrary PHP files to the server. Once uploaded, these files can be executed as web shells, granting attackers remote code execution capabilities on the affected system.
Active Exploitation in the Wild
According to Caitlin Condon, vice president of security research at VulnCheck, this vulnerability has been observed being actively exploited for the first time. The attack observed by researchers involved leveraging the flaw to drop a web shell on a U.S.-based honeypot running a vulnerable version of ShowDoc.
This marks a concerning development, as it demonstrates that threat actors are actively scanning for and exploiting this vulnerability despite it being several years old. The vulnerability was originally patched in October 2020 when ShowDoc version 2.8.7 was released, and the current version of the software is 3.8.1.
Widespread Exposure
Data shared by VulnCheck indicates that there are more than 2,000 instances of ShowDoc running online, with the majority located in China. This widespread deployment creates a significant attack surface for malicious actors.
Protection and Mitigation
Users running ShowDoc are strongly advised to update to the latest version (3.8.1) immediately to protect against this vulnerability. Organizations should also implement the following security measures:
- Regularly update all software to the latest versions
- Implement proper file upload validation and restrictions
- Monitor for suspicious file upload activities
- Use web application firewalls to detect and block exploitation attempts
- Conduct regular security assessments of document management systems
The exploitation of CVE-2025-0520 highlights the ongoing threat posed by N-day vulnerabilities—security flaws that have been known and patched for some time but continue to be exploited due to delayed patching by organizations. This pattern has become increasingly common as threat actors actively scan for unpatched systems rather than focusing solely on zero-day vulnerabilities.
For organizations using ShowDoc or similar document management platforms, this incident serves as a critical reminder of the importance of maintaining up-to-date software and implementing robust security monitoring to detect and respond to exploitation attempts promptly.
Comments
Please log in or register to join the discussion