CVE-2025-0520: ShowDoc RCE Flaw Actively Exploited
目次
A critical remote code execution vulnerability in ShowDoc — tracked as CVE-2025-0520 with a CVSS score of 9.4 — is under active exploitation. The flaw affects ShowDoc versions before 2.8.7 and allows attackers with low-level access to upload arbitrary PHP files and execute code on the server. VulnCheck confirmed active exploitation this week, with over 2,000 vulnerable instances identified online.
What the vulnerability is
CVE-2025-0520 is an unrestricted file upload vulnerability in ShowDoc, an open-source documentation and collaboration tool popular primarily in China. The flaw exists in ShowDoc’s image upload endpoint and stems from a ThinkPHP framework property name error — the developer assigned permitted file extensions to a property called allowExts, but the framework expects exts. Because the framework silently ignores the unrecognised property, all file extensions are permitted by default, including .php.
An attacker with low-level user privileges can exploit the endpoint at /index.php?s=/home/page/uploadImg to upload a PHP web shell to a publicly accessible directory. From there, arbitrary code executes with the privileges of the web server process — giving the attacker read access to configuration files, database credentials, and the ability to pivot into adjacent network segments.
The vulnerability was patched in ShowDoc version 2.8.7, released in October 2020. The current version is 3.8.1. Despite this, VulnCheck’s canary detection confirmed first-time exploitation this week, with the observed exploit dropping a web shell on a US-based honeypot running a vulnerable version.
Why this matters beyond ShowDoc’s install base
ShowDoc has over 2,000 internet-exposed instances, the majority located in China. The active exploitation is a textbook example of a trend VulnCheck and The Hacker News have both noted: threat actors increasingly targeting N-day vulnerabilities — known, patched flaws — across whatever install base exists, regardless of how niche the software is.
The broader risk is not ShowDoc specifically. It is the pattern. Developer-deployed tools — documentation platforms, internal wikis, code repositories, API portals — are frequently deployed outside standard IT asset management processes. They are updated infrequently, often run on internet-facing servers, and regularly contain sensitive technical content: API keys, database connection strings, internal network diagrams, and system configurations that provide attackers with detailed roadmaps for lateral movement.
A vulnerable ShowDoc instance is not just a compromised documentation server. It is a potential foothold into whatever infrastructure is documented on it.
Immediate actions for security teams
について GitHub advisory と NVD entry both confirm the remediation path. For any organisation running ShowDoc:
- Update to version 3.8.1 immediately — version 2.8.7 patches this specific CVE but 3.8.1 is the current release
- Audit recent access logs on any ShowDoc instance for POST requests to
/index.php?s=/home/page/uploadImgand check upload directories for unexpected.phpfiles - Review content stored on documentation servers — credentials, API keys, and internal network details should not live on internet-facing platforms
- Restrict access — if ShowDoc does not need to be internet-facing, place it behind a VPN or firewall immediately
- Scan your external perimeter for any ShowDoc instances that may have been deployed without security team awareness — this is a classic shadow IT exposure
For any ShowDoc instance that was internet-exposed while running a vulnerable version, treat it as potentially compromised and conduct a full review before returning it to service.
The shadow IT problem this illustrates
CVE-2025-0520 is not an unusual vulnerability. It is an unusual reminder of how much developer-deployed infrastructure exists outside security team visibility.
Documentation platforms, internal tools, and development environments represent a growing category of internet-exposed assets that traditional vulnerability management programmes miss — not because the tools are unimportant, but because they were never registered in the asset inventory to begin with. By the time a CVE is published and exploitation begins, many organisations do not know the software is running on their infrastructure.
External attack surface scanning catches this gap. An outside-in scan of your organisation’s internet-facing infrastructure will find ShowDoc instances, exposed development tools, and forgotten staging environments that internal scanning cannot surface — because internal scanning only covers what you already know about.
How CybelAngel helps
CybelAngel’s アタックサーフェスマネジメント module continuously scans your organisation’s external perimeter for exposed assets — including developer-deployed tools like ShowDoc that exist outside standard IT asset inventories. When a new CVE with active exploitation emerges, you need to know within hours whether vulnerable software is running on your infrastructure, not days after a compromise is discovered.
Our REACT team provides immediate guidance when critical vulnerabilities affect your exposed assets, from detection through remediation. For organisations concerned about shadow IT exposure and developer-deployed infrastructure, our サイバー脅威インテリジェンス capabilities track active exploitation campaigns and provide early warning when threat actors begin targeting software your teams use.
For more on how attackers exploit exposed developer infrastructure, read our APT28 router hijacking analysis or explore CybelAngel’s Attack Surface Management capabilities.
著者について
