ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers Ravie LakshmananApr 14, 2026Vulnerability / Network Security A critical security vulnerability impacting ShowDoc, a document management and collaboration service popular in China, has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0520 (aka CNVD-2020-26585), which carries a CVSS score of 9.4 out of 10.0. It relates to a case of unrestricted file upload that stems from improper validation of file extension, allowing an attacker to upload arbitrary PHP files and achieve remote code execution. "[In] ShowDoc version before 2.8.7, an unrestricted and unauthenticated file upload issue is found and [an] attacker is able to upload a web shell and execute arbitrary code on server," according to an advisory released by Vulhub.  The vulnerability was addressed in ShowDoc version 2.8.7, which was shipped in October 2020. The current version of the software is 3.8.1. According to new details shared by Caitlin Condon, vice president of security research at VulnCheck, CVE-2025-0520 has come under active exploitation for the first time. The observed exploit involves leveraging the flaw to drop a web shell on a U.S.-based honeypot running a vulnerable version of ShowDoc. Data shared by the company shows that there are more than 2,000 instances of ShowDoc online, most of which are located in China. The development is the latest example of how threat actors are increasingly exploiting N-day security vulnerabilities, regardless of their install base. Users who are running ShowDoc are advised to update to the latest version for optimal protection. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, network security, remote code execution, software security, Threat Intelligence, Vulnerability, web security Trending News Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Block the Prompt, Not the Work: The End of "Doctor No" Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Load More ▼ Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Secure Your AI Systems Across the Full Lifecycle of Risks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls