ShowDoc Document Management Platform Targeted by Active RCE Exploitation
Take action: If you're running ShowDoc, update it to version 2.8.7 or higher immediately. This flaw has been patched since 2020 but attackers are actively exploiting unpatched instances. Then check your image upload folders for any suspicious PHP files that shouldn't be there, and make sure ShowDoc is not exposed to the internet.
Learn More
ShowDoc, a document management and collaboration platform widely is facing active exploitation of a critical remote code execution vulnerability that allows unauthenticated attackers to compromise servers by bypassing file upload restrictions.
Although the developer released a patch for this issue in late 2020, security researchers have recently observed threat actors targeting unpatched instances in the wild to deploy malicious payloads.
The vulnerability is tracked as CVE-2025-0520 or CNVD-2020-26585 (CVSS score 9.4) An unrestricted file upload vulnerability in the image upload component of ShowDoc that is caused by improper validation of file extensions. Attackers can bypass security filters by using malformed filenames such as "test.<>php" to upload arbitrary PHP scripts to the server. Once the file is uploaded, the attacker can access it via a direct URL to run a web shell and execute commands with the privileges of the web service.
A successful attack grants the threat actor full control over the host system. By running a web shell, attackers can exfiltrate sensitive internal documentation, steal API keys, and use the compromised server as a pivot point to move laterally through the corporate network.
Recent intelligence from VulnCheck indicates that attackers are actively using this flaw to target U.S.-based honeypots, despite the majority of the 2,000 exposed instances being located in China.
This security issue affects all versions of ShowDoc prior to 2.8.7. The software has since advanced to version 3.8.1, a significant number of legacy installations remain online and vulnerable to automated scanning. The exploit can be triggered by sending a single specially crafted POST request to the /index.php?s=/home/page/uploadImg endpoint.
Organizations must update ShowDoc to version 2.8.7 or higher immediately to resolve this vulnerability. Administrators should also inspect their web server directories for unauthorized PHP files, specifically within folders designated for image uploads, which may indicate a prior compromise. To further reduce the attack surface, security teams should isolate document management tools from the internet and restrict access to known internal IP addresses.
