Full Report
A critical security vulnerability impacting ShowDoc, a document management and collaboration service popular in China, has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0520 (aka CNVD-2020-26585), which carries a CVSS score of 9.4 out of 10.0. It relates to a case of unrestricted file upload that stems from improper validation of
Analysis Summary
# Vulnerability: ShowDoc Unrestricted File Upload RCE
## CVE Details
- **CVE ID:** CVE-2025-0520 (also tracked as CNVD-2020-26585)
- **CVSS Score:** 9.4 (Critical)
- **CWE:** CWE-434 (Unrestricted Upload of File with Dangerous Type)
## Affected Systems
- **Products:** ShowDoc (Document management and collaboration platform)
- **Versions:** All versions prior to **2.8.7**
- **Configurations:** Systems exposed to the public internet are at highest risk; the flaw is exploitable by unauthenticated users.
## Vulnerability Description
A critical flaw exists in ShowDoc due to improper validation of file extensions during the upload process. An unauthenticated remote attacker can bypass existing security checks to upload arbitrary PHP files (web shells) to the server. Because the uploaded files are stored in a web-accessible directory, the attacker can execute these scripts to achieve Remote Code Execution (RCE) with the privileges of the web application.
## Exploitation
- **Status:** **Exploited in the wild.** Active exploitation has been observed in April 2026, targeting U.S.-based honeypots.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to documents and server data)
- **Integrity:** High (Modification of files and deployment of persistent malware/web shells)
- **Availability:** High (Potential for complete server takeover or service disruption)
## Remediation
### Patches
- **Update to ShowDoc v2.8.7 or later.** This version was originally released in October 2020 to address this specific flaw.
- The current stable version at the time of reporting is **3.8.1**.
### Workarounds
- Restrict access to the ShowDoc application via firewall or VPN to trusted IP addresses only.
- Disable PHP execution in the application's upload directories at the web server level (e.g., Nginx or Apache configuration).
## Detection
- **Indicators of Compromise:** Look for unexpected PHP files in the `Public/Uploads/` directory (or similar upload paths).
- **Detection methods and tools:**
- Review web server access logs for POST requests to upload endpoints followed by immediate GET requests to newly created `.php` files.
- Utilize vulnerability scanners to identify unpatched ShowDoc instances (over 2,000 instances are estimated to be online).
## References
- **Vendor Advisory:** [https://github[.]com/star7th/showdoc/releases/tag/v2.8.7]
- **Vulhub Advisory:** [https://github[.]com/vulhub/vulhub/tree/master/showdoc/CNVD-2020-26585]
- **GitHub Security Advisory:** [https://github[.]com/advisories/GHSA-6jmr-r7p6-f5wr]
- **News Source:** [https://thehackernews[.]com/2026/04/showdoc-rce-flaw-cve-2025-0520-actively.html]