A critical ShowDoc vulnerability tracked as CVE-2025-0520 is being actively exploited in the wild, with attackers using the flaw to drop web shells on a U.S.-based honeypot. The issue affects the document management and collaboration service, which has more than 2,000 instances online, most of them in China.
KEY FACTS
- Severity CVE-2025-0520 has a CVSS score of 9.4 out of 10.0.
- Flaw type The bug is an unrestricted file upload issue that can lead to remote code execution.
- Affected versions ShowDoc versions before 2.8.7 are vulnerable.
- Fix The issue was addressed in ShowDoc 2.8.7, which shipped in October 2020.
A Vulhub advisory says the problem stems from improper validation of file extensions, which lets an attacker upload arbitrary PHP files. In practice, that allows an unauthenticated attacker to upload a web shell and run code on the server.
New details shared by Caitlin Condon of VulnCheck indicate this is the first observed active exploitation of the CVE. The disclosed activity involved a vulnerable ShowDoc deployment on a honeypot in the United States.
The current version of ShowDoc is 3.8.1, according to the project release history. The report says users running the software should update to the latest version for better protection.
WHY IT MATTERS
The exploitation shows that older vulnerabilities can still be used against exposed systems years after a fix is released. Organizations running ShowDoc face the risk of remote code execution if they have not updated vulnerable installations.