Threat Actors Exploit Critical ShowDoc Flaw in Active Attacks
AI-generated from multiple sources. Verify before acting on this reporting.
BEIJING — Threat actors are actively exploiting a critical remote code execution vulnerability in ShowDoc document management software, targeting unpatched servers across China. The flaw, designated CVE-2025-0520, allows attackers to upload malicious files and execute arbitrary code on affected systems.
The vulnerability stems from an unrestricted file upload feature within the software, which fails to properly validate incoming files. Security researchers identified the issue earlier this year, but exploitation has surged as of April 14, 2026. ShowDoc, a popular open-source tool for documentation and collaboration, is widely used by enterprises and government entities in the region.
Exploitation of the vulnerability enables remote attackers to gain full control over compromised servers without authentication. Once inside, threat actors can deploy ransomware, steal sensitive data, or use the systems as part of a larger botnet. The attack vector requires no user interaction, making it particularly dangerous for organizations that have not applied the latest security patches.
ShowDoc developers released a patch for the vulnerability in early 2025, but many organizations have yet to update their systems. The delay in patching has created a window of opportunity for malicious actors. Cybersecurity firms monitoring network traffic have observed a significant increase in exploit attempts over the past 48 hours, with thousands of scanning events originating from various IP addresses.
The attacks are primarily concentrated in China, where ShowDoc has a substantial user base. However, the vulnerability affects any organization using the software globally. Experts warn that the ease of exploitation means even small businesses and educational institutions are at risk.
Security advisories have been issued urging administrators to update their ShowDoc installations immediately. The patch addresses the file upload validation issue and restricts the types of files that can be uploaded to the system. Organizations are also advised to implement additional security measures, such as web application firewalls and intrusion detection systems, to mitigate the risk of exploitation.
Despite the availability of a fix, the active exploitation of the vulnerability continues. Cybersecurity analysts are tracking the spread of the attacks and working to identify the threat actors responsible. The motivation behind the attacks remains unclear, though the potential for financial gain and data theft is significant.
As the situation develops, organizations are urged to assess their exposure and take immediate action to secure their systems. The ongoing exploitation of CVE-2025-0520 highlights the critical importance of timely patch management and proactive cybersecurity measures.