A security flaw fixed over five years ago is being targeted by hackers again now. This vulnerability is found in ShowDoc, a tool used by IT teams to manage documents and mutual collaboration. ShowDoc is most popular in China, but recent attacks show that threat actors are finding ways to exploit it globally.
A Backdoor Into Servers
The vulnerability, tracked as CVE-2025-0520 with a high CVSS score of 9.4 out of 10, is an unrestricted file upload flaw. This occurs when the system fails to check what type of files users are sending to it. If exploited, this mistake allows hackers to upload their own PHP files to a server without needing a username or password.
For your information, PHP files often contain a web shell, which is code that lets an unauthorised individual run commands on a computer remotely, a technique called remote code execution (RCE), and allows threat actors to take full control of the system.
ShowDoc is built using the PHP programming language, and that’s why the server sees these uploaded files as legitimate system instructions and executes them.
Attack Details
According to the latest reports, hackers are actively exploiting this bug against servers worldwide. One such attack was spotted hitting a US-based canary, a highly sensitive trap designed to alert security teams the moment it is touched. In this case, the canary was running an old version of ShowDoc to see if hackers would take the bait
Even though the software has a small user base compared to giant tech brands like Microsoft SharePoint or Atlassian Confluence, there are still more than 2,000 instances of ShowDoc visible on the internet, most of which are located in China.
Protecting Your Data
Originally, this bug was found in ShowDoc versions released before October 2020, and to stop its exploitation, the company released a fix in version 2.8.7. However, many users never installed the newer version, and this generates a security crisis as many systems still run old software that hasn’t been updated in years.
Caitlin Condon, the VP of Security Research at VulnCheck, shared in an update that their systems detected this flaw being exploited in the wild only recently. “Our team’s ASM queries show 2,000+ instances of ShowDoc online, primarily in China. The VulnCheck-observed exploit dropped a webshell on a U.S.-based Canary running the vulnerable software,” Condon’s post read.
She also noted that it is apparently linked to the current trend where hackers target N-day vulnerabilities. For your information, N-days are old, known bugs that stay active because people forget to patch their systems. So, if you use ShowDoc, the only way to stay safe is to update to the latest version- ShowDoc 3.8.1.
Expert’s Analysis
In a comment shared with Hackread.com, Will Baxter, Head of Architecture & Platform and Field CISO at Team Cymru, explained why these attacks are so dangerous. Baxter mentioned that this activity shows how attackers use old vulnerabilities as quiet entry points. He noted that even software with a small number of users can be valuable for hackers to use as a base for further attacks once they get inside.
“This activity highlights how attackers continue to exploit long-tail vulnerabilities as quiet entry points into exposed systems. Even software with a small install base can become valuable infrastructure for staging, pivoting, or command-and-control activity once compromised. The challenge is that these assets often fall outside an organization’s immediate visibility, which is why defenders need external intelligence to understand how their infrastructure appears and behaves on the open internet.”
