Threat actors have begun actively exploiting CVE-2025-0520, a critical unauthenticated remote code execution vulnerability in ShowDoc — a self-hosted IT documentation platform widely used by development and operations teams for internal wikis, API documentation, and runbooks. The vulnerability carries a CVSS 3.1 base score of 9.4, was patched in October 2020, and has been confirmed exploited against honeypots as of 18 April 2026. More than 2,000 internet-exposed ShowDoc instances are known to still be running vulnerable versions.
The Vulnerability
CVE-2025-0520 is an unrestricted file upload flaw (CWE-434) in ShowDoc versions prior to 2.8.7. The upload functionality does not validate file extensions or content type with sufficient rigour, allowing an unauthenticated attacker to submit a malicious PHP file through the file attachment endpoint. Once uploaded, the PHP file is stored in a web-accessible directory, where it can be requested directly via the web server — causing the PHP interpreter to execute it as server-side code. This grants the attacker arbitrary code execution under the web server process account, with no authentication required.
The exploitation path is direct: find an internet-exposed ShowDoc instance, upload a PHP web shell, send an HTTP request to the uploaded file, and receive a command execution shell on the server. No credentials, no social engineering, no chained vulnerabilities required. Honeypot telemetry confirms that attackers have automated this sequence and are scanning for vulnerable instances at scale.
Why Unpatched Instances Persist
ShowDoc 2.8.7, released in October 2020, was the patch release — now four and a half years ago. The current version is 3.8.1. The fact that more than 2,000 internet-exposed instances remain on pre-2.8.7 versions reveals a familiar pattern in self-hosted tooling: once deployed, internal documentation tools are rarely subject to the same patch cadence applied to production-facing infrastructure.
ShowDoc is predominantly used by developers and operations teams, often deployed informally — a single Docker container stood up by an individual engineer or small team without formal IT governance applied. These deployments frequently do not have an owner actively monitoring for upstream security advisories, and are not included in enterprise vulnerability management programmes that scan for patching status. The tool continues running indefinitely on the version initially installed.
Attack Impact and Context
A compromised ShowDoc instance represents more than a web shell on a single server. IT documentation tools by design contain high-value internal information: network topology diagrams, system credentials for internal services, API documentation with authentication details, deployment runbooks, and configuration guides. An attacker with ShowDoc access and arbitrary code execution on the server may be able to:
- Read all stored documentation, including plaintext or encoded credentials
- Pivot from the ShowDoc server to internal network resources accessible from the host
- Establish persistent access through scheduled tasks or cron jobs added via the web shell
- Use Rclone or curl to exfiltrate documentation content to external storage
This makes ShowDoc a priority target for post-initial-access lateral movement — attackers who have landed on an internal network segment may target internal ShowDoc instances as intelligence sources even without internet exposure.
Recommended Actions
- Update ShowDoc to version 3.8.1 immediately on all instances, whether internet-facing or internal only. The update eliminates the CVE-2025-0520 file upload vector.
- Conduct a ShowDoc inventory: Identify all ShowDoc deployments in the organisation, including those stood up informally by development teams. Shadow IT documentation tooling is frequently missed by central IT scanning.
- Remove internet exposure: ShowDoc is an internal tool and should not be reachable from the public internet. Place it behind VPN, internal DNS only, or IP allowlist access controls. Internet-exposed instances should be assumed compromised if running pre-2.8.7 versions.
- Audit uploaded files: On vulnerable instances, review the uploads directory (
/data/uploads/or equivalent) for unexpected PHP, PHTML, or SHTML files. These indicate a web shell has been uploaded. Any found should be treated as active compromise. - Check web server logs: Look for HTTP POST requests to the file attachment endpoint followed shortly by HTTP GET requests to PHP files in the uploads path — this is the exploitation fingerprint.
- Extend vulnerability management to internal tooling: ShowDoc is representative of a category of developer-deployed tooling (documentation platforms, internal wikis, monitoring dashboards) that frequently escape enterprise patch programmes. These tools should be included in periodic scanning, even when not internet-facing.
Broader Context
CVE-2025-0520 is a classic N-day exploitation event — a vulnerability patched years ago now being mass-exploited because a significant population of deployments never applied the fix. This pattern repeats reliably across self-hosted software, particularly developer tools where informal deployment and minimal governance are the norm. The security burden falls on the teams that deploy these tools to maintain them, which in practice means many installations simply age in place. Threat actors are well aware of this gap and devote scanning resources specifically to identifying long-unpatched instances of developer and operational tooling.
Share this article