A critical security vulnerability in ShowDoc, a document management and team collaboration platform widely used in China and across Asia-Pacific, is under active exploitation in the wild. The flaw, tracked as CVE-2025-0520 (also catalogued as CNVD-2020-26585), carries a CVSS score of 9.4 out of 10.0 and enables remote code execution on affected servers.
What Is ShowDoc?
ShowDoc is an open-source documentation and knowledge-base platform developed in China, used by development teams and IT organizations to manage internal API documentation, technical wikis, and project knowledge bases. The platform has a significant user base in China and across Southeast Asia, making this vulnerability particularly impactful for organizations in that region.
Vulnerability Details
CVE-2025-0520 is rooted in an unrestricted file upload weakness in ShowDoc's web interface. The vulnerability allows an unauthenticated or low-privileged attacker to upload arbitrary files — including web shells and executable scripts — to the server. Once a malicious file is uploaded to a web-accessible directory, the attacker can trigger remote code execution by requesting the file via HTTP.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-0520 / CNVD-2020-26585 |
| CVSS Score | 9.4 (Critical) |
| Attack Type | Unrestricted File Upload → RCE |
| Authentication | Low / Unauthenticated |
| Affected Software | ShowDoc (multiple versions) |
The vulnerability was originally catalogued in China's CNVD (China National Vulnerability Database) as far back as 2020, but exploitation activity has surged in 2026 as organizations running legacy ShowDoc deployments remain unpatched.
Active Exploitation
Threat intelligence sources confirm that threat actors are actively scanning for and exploiting exposed ShowDoc instances. The attack pattern typically involves:
- Discovery — Automated scanning for internet-exposed ShowDoc instances via Shodan-style searches or targeted reconnaissance
- Upload — Exploitation of the file upload endpoint to plant a PHP or Python web shell
- Execution — Triggering the uploaded payload to establish a reverse shell or persistent backdoor
- Post-compromise — Credential harvesting, lateral movement, or ransomware deployment
Given the low attack complexity and high CVSS score, mass exploitation by opportunistic actors is a realistic near-term threat.
Affected Versions and Patch Status
ShowDoc users should verify their version and apply available patches immediately. Organizations running ShowDoc behind an internet-facing web server are at the highest risk, particularly if the platform is exposed without authentication controls or IP allowlisting.
Remediation steps:
- Upgrade ShowDoc to the latest patched release from the official repository
- Restrict access — Place ShowDoc behind a VPN or IP allowlist; do not expose it directly to the internet
- Audit uploaded files — Review the ShowDoc upload directories for unexpected files, particularly
.php,.py,.jsp, or.shextensions - Review server logs — Look for POST requests to file upload endpoints from external or unexpected IP addresses
- Enable web application firewall (WAF) rules targeting file upload bypass techniques
Why Legacy Vulnerability Exploitation Matters
CVE-2025-0520 illustrates a recurring pattern in the threat landscape: vulnerabilities catalogued years ago — particularly in niche or regional platforms with less security community visibility — remain unpatched on production systems long after fixes become available. Attackers routinely resurface old CVEs when mass exploitation becomes operationally viable, especially as automation tools make scanning and targeting at scale trivial.
Organizations should ensure their vulnerability management programs include coverage for:
- Third-party and open-source software deployed internally
- Platforms with limited English-language security research coverage
- Self-hosted collaboration and documentation tools that often receive less patching attention than core infrastructure
Sources: The Hacker News