ShowDoc RCE Flaw CVE-2025-0520 Is Being Actively Exploited — Over 2,000 Servers Exposed
Introduction
A critical unrestricted file upload vulnerability in ShowDoc, an open-source documentation and collaboration platform widely used in China and increasingly elsewhere, is now under active exploitation. Tracked as CVE-2025-0520 with a CVSS v4.0 score of 9.4, the flaw lets unauthenticated attackers upload PHP web shells and take full control of the underlying server. Over 2,000 ShowDoc instances remain exposed on the public internet.
What Happened
ShowDoc is a lightweight API documentation and team wiki tool often self-hosted by development teams. CVE-2025-0520 (also catalogued as CNVD-2020-26585) stems from improper validation of file extensions in ShowDoc's upload functionality. Because the application fails to restrict which file types can be uploaded, an attacker can send a crafted HTTP request containing a PHP file to the upload endpoint. Once the file lands on the server, it can be accessed directly via the web root and executed — giving the attacker a fully functional web shell.
The vulnerability was originally identified and patched in version 2.8.7 back in October 2020, but security researchers have confirmed that a large number of internet-facing ShowDoc servers never applied the fix. Honeypot data shows active exploitation attempts against servers in the United States, China, and other regions. Attackers are uploading web shells to establish persistent remote access, then pivoting to install additional malware, exfiltrate documentation content, and in some cases deploy ransomware.
The CVSS v3.0 score is 9.8, reflecting the fact that exploitation requires no authentication, no user interaction, and can be carried out remotely over HTTP.
Why It Matters
Self-hosted documentation platforms are common in DevOps environments. They often sit on internal networks but get exposed to the internet for remote team access — sometimes behind nothing more than basic auth or a VPN that's been misconfigured. ShowDoc instances frequently contain API specifications, internal architecture diagrams, credentials, and deployment notes. Compromising one gives an attacker a goldmine of reconnaissance data for lateral movement.
The fact that a patch has existed for nearly six years yet thousands of servers remain vulnerable underscores how easily self-hosted tools fall out of patch cycles. If you run ShowDoc, the urgency is immediate — this is not theoretical, it is being exploited right now.
Who Is Affected
- Organizations running any ShowDoc version prior to 2.8.7
- Development and DevOps teams using ShowDoc for internal API documentation
- Over 2,000 ShowDoc instances are currently internet-facing according to Shodan and Censys scans
- Heaviest concentration in China, but exploitation is global
How to Protect Yourself
Update ShowDoc to 2.8.7 or later immediately:
cd /path/to/showdoc
git pull origin master
composer install --no-dev
php think migrate:run
If you installed ShowDoc via Docker:
docker pull star7th/showdoc:latest
docker stop showdoc && docker rm showdoc
docker run -d --name showdoc \
-p 4999:80 \
-v /showdoc_data/html:/var/www/html \
star7th/showdoc:latest
Check for signs of compromise. Look for unexpected PHP files in ShowDoc's upload directories:
find /var/www/showdoc/Public/Uploads -name "*.php" -type f
find /var/www/showdoc/Public/Uploads -name "*.phtml" -type f
Review web server access logs for POST requests to the upload endpoint from unfamiliar IPs:
grep -i "upload" /var/log/nginx/access.log | grep "POST"
If you cannot patch immediately, restrict access to ShowDoc's upload endpoint at the reverse proxy level:
location ~* /api/upload {
deny all;
}
Audit your exposure. Check whether your ShowDoc instance is reachable from the internet:
curl -s -o /dev/null -w "%{http_code}" https://your-showdoc-domain.com
If it should only be internal, put it behind a VPN or zero-trust access proxy and remove public DNS records.