Attackers target unpatched ShowDoc servers via CVE-2025-0520

A critical RCE flaw, tracked as CVE-2025-0520, in ShowDoc is being actively exploited, putting unpatched servers at serious risk.

A critical remote code execution flaw, tracked as CVE-2025-0520 (CVSS score of 9.4), affecting ShowDoc is under active exploitation in the wild.

ShowDoc is an online tool that helps IT teams share documents and improve collaboration and communication efficiency.

Versions before 2.8.7 had an unauthenticated file upload flaw allowing attackers to deploy web shells and run code on servers. The issue was fixed in version 2.8.7, released in October 2020.

“An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution. This issue affects ShowDoc: before 2.8.7.” reads the advisory.

Threat actors are targeting unpatched servers, potentially gaining full control.

VulnCheck researchers warn that over 2,000 instances remain exposed online, mostly in China. The cybersecurity firm provides customers with payloads, artifacts, and intelligence.

Organizations using the tool are strongly urged to update and secure exposed instances immediately.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2025-0520)