ShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers

The ShowDoc documentation platform has been under the spotlight after researchers confirmed active exploitation of CVE‑2025‑0520, a critical unrestricted file‑upload flaw assigned a CVSS 9.4 rating. First disclosed in 2020, the vulnerability allows attackers to upload malicious PHP scripts that the server executes as native code, granting remote code execution. Although the vendor released a fix in version 2.8.7, many deployments—especially legacy installations in Asia—have never applied the patch, leaving a large attack surface exposed. The flaw affects any ShowDoc deployment that accepts user‑generated content without proper sanitization.

Threat actors have begun weaponising the old bug as a low‑cost entry point into corporate networks. Recent incidents include a U.S.-based canary that was compromised after the attacker uploaded a web shell to an outdated ShowDoc instance, using it as a foothold for lateral movement. Because ShowDoc’s install base is modest—roughly 2,000 publicly reachable sites—the platform often flies under the radar of traditional asset inventories, making it an attractive staging ground for command‑and‑control infrastructure. This pattern underscores the growing danger of N‑day vulnerabilities that persist long after a fix is available.

The immediate mitigation is straightforward: upgrade every ShowDoc deployment to the current 3.8.1 release, which closes the unrestricted upload vector. Organizations should also enforce strict file‑type validation, isolate web‑facing services, and monitor for anomalous PHP execution. Beyond patching, the episode highlights the need for continuous external asset discovery, as many vulnerable instances reside outside internal change‑management processes. By integrating threat‑intel feeds with configuration‑management databases, security teams can surface hidden exposures before attackers can weaponise them, reinforcing a proactive defense posture.