ShowDoc under attack: critical vulnerability CVE-2025-0520 allows web shells and is already exploited in the real world

A critical vulnerability in ShowDoc - a highly used management and documentary collaboration platform in China - has become more relevant because it is now being actively exploited in the real world. Identified as CVE-2025-0520 (also reported as CNVD-2020-26585), this failure has a CVSS score of 9.4 / 10, which classifies it as very high risk and suitable to allow serious intrusions when not corrected.

The problem lies in a case of unrestricted file loading: the application does not properly value extensions and allows you to upload malicious PHP files. With that vector, an attacker can place a web shell on the server and run code at a distance, getting control over the vulnerable instance. Previous investigations and technical notices had already indicated that the pre-2.8.7 versions were susceptible to this technique, and that the corresponding patch was introduced in the 2.8.7 version published in October 2020.

In October 2020 ShowDoc launched the correction, and since then the project has continued to evolve to the current branches (the stable version at the time of writing is 3.8.1). Still, according to the follow-up shared by Caitlin Condon, Vice President of Security Research at VulnCheck, vulnerability has been taken advantage of in attacks on the ground: an explosion was observed that left a web shell in a US-based honeypot that executed a vulnerable version of ShowDoc. This confirms that even if the failure is old, the attackers continue to search and exploit outdated instances.

Public data indicate that there are more than 2,000 ShowDoc instances accessible from the Internet, with a significant concentration in China. This picture explains why a known and patched vulnerability can remain dangerous: many deployments are not updated or remain exposed, which offers easy targets for malicious actors who take advantage of these so-called "N-day" failures - known vulnerabilities for which patch exists, but which are still in use in unupdated facilities.

For those who administer ShowDoc the recommendation is clear: to update the latest version as soon as possible. Update not only applies the arrangement for file loading, but reduces the attack surface against other technical failures discovered over time. In addition to updating the software, it is prudent to review records and contents in upload directories in search of PHP files or web shells, segregate the instances exposed to the Internet and apply perimeter controls such as web application firewalls (WAF) and lock rules. It is also appropriate to audit users and permissions, and to consider safe backup and incident response lists in case of intrusions.

If you want to see the technical reference of why this type of file loading is dangerous, OWASP maintains very useful documentation on risks associated with unchecked charges: OWASP - Unrestricted File Upload. For information on the ShowDoc project and its launches, see the public repository in GitHub: star7th / showdoc in GitHub. And for case monitoring and active exploitation analysis you may be interested in the VulnCheck page, from which details of the incident have been shared: VulnCheck. Finally, if you look for the official CVE tab, the NVD portal usually centralizes these entries: NVD - National Vulnerability Database.

This episode is a good reminder that the simple fact that there is a patch does not prevent a vulnerability from remaining dangerous: the management of updates, the visibility of the exposed instances and the basic practices of operational hardening are as important as the patch itself. If you administer ShowDoc or are in charge of an environment that uses it, don't leave an update for tomorrow that can avoid an intrusion today.