A critical remote code execution (RCE) vulnerability impacting ShowDoc is currently being exploited in the wild, placing unpatched servers at significant risk of compromise. The flaw is tracked as CVE‑2025‑0520 and carries a CVSS severity score of 9.4, reflecting its high impact and ease of exploitation.
ShowDoc is a web‑based documentation and collaboration platform commonly used by IT and development teams to share technical documents, APIs, and internal knowledge. Due to its frequent deployment on internet‑accessible servers, exposed instances present an attractive target for attackers.
The vulnerability affects ShowDoc versions prior to 2.8.7 and stems from an unauthenticated file upload weakness. Specifically, the application fails to properly validate file extensions during uploads, allowing attackers to upload malicious PHP files. Once uploaded, these files can be executed directly on the server, enabling attackers to deploy web shells and execute arbitrary commands without authentication.
“An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extensions allows the execution of arbitrary PHP code, leading to remote code execution,” the advisory states. “This issue affects ShowDoc versions before 2.8.7.”
The flaw was officially patched in version 2.8.7, which was released in October 2020. Despite the availability of a fix for several years, a substantial number of systems remain vulnerable due to outdated deployments and lack of maintenance.
Threat actors are actively scanning for and exploiting these unpatched instances, potentially granting them full control over affected servers, including the ability to exfiltrate data, deploy additional malware, pivot to internal networks, or use compromised hosts as staging points for further attacks.
Researchers at VulnCheck have identified more than 2,000 exposed ShowDoc instances still accessible on the internet, with the majority located in China. The firm has warned that the exposure significantly increases the likelihood of widespread exploitation. VulnCheck has provided its customers with technical intelligence, including associated payloads, artifacts, and indicators, to support detection and response efforts.
Given the active exploitation and the severity of the vulnerability, organizations using ShowDoc are strongly urged to take immediate action. Recommended steps include:
- Upgrading to ShowDoc version 2.8.7 or later
- Restricting or removing internet exposure for internal documentation platforms
- Reviewing logs for signs of unauthorized access or suspicious file uploads
- Implementing web application firewalls (WAFs) and tighter access controls
Failure to remediate CVE‑2025‑0520 leaves systems highly susceptible to compromise, underscoring the broader risk posed by long‑unpatched vulnerabilities in externally accessible applications.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
