When a collaboration platform used by many organizations harbors a hole that allows arbitrary files to be placed on its servers, what happens next is not theory — it becomes a running incident. That is the situation now facing operators and users of ShowDoc: a critical remote code execution vulnerability tied to unrestricted file upload is being exploited in the wild on unpatched servers.
Background: the flaw and the software
ShowDoc, a document management and collaboration service popular in China, is at the center of this advisory. The vulnerability is tracked as CVE-2025-0520 (also catalogued as CNVD-2020-26585) and is scored 9.4 out of 10.0 on the Common Vulnerability Scoring System (CVSS), indicating a critical severity level. The issue relates to a case of unrestricted file upload that stems from improper validation of
Current situation: active exploitation on unpatched servers
According to the reporting, CVE-2025-0520 is now being actively exploited in the wild. Those attacks are occurring on unpatched servers — meaning instances of ShowDoc that have not been updated to remediate the vulnerability remain at risk. The combination of a high CVSS score and active exploitation elevates this from a theoretical concern to an operational problem for affected deployments.
Why this matters: multiple perspectives
- Technologists: From a technical standpoint, unrestricted file upload vulnerabilities that lead to remote code execution are among the most consequential classes of software bugs because they can permit an attacker to place and execute arbitrary code on a target system. A CVSS score of 9.4 underscores that potential.
- Policymakers and risk managers: Active exploitation on unpatched systems demonstrates the gap that can exist between vulnerability disclosure and remediation in the field. Where a widely used collaboration tool is involved, that gap can affect many organizations.
- Users and administrators: Operators of ShowDoc instances face an immediate operational decision when notified of such a vulnerability: to assess exposure, prioritize patching or other mitigations, and verify that public-facing and internal instances are not compromised. The report specifically notes exploitation on unpatched servers, highlighting the stakes of delayed updates.
- Adversaries: For attackers, the presence of a reliable unrestricted file upload flaw on a popular platform represents an attractive avenue for footholds, persistence, and secondary actions on compromised networks.
Analysis: the broader implications
A critical flaw in a collaboration platform raises issues that extend beyond a single product. First, the high-severity rating combined with active exploitation sharpens the need for timely detection and response. Second, reliance on a service described as popular in a large user community means that even a modest patching lag can produce many exposed targets. Finally, the technical nature of the vulnerability — an unrestricted file upload stemming from improper validation — reminds operators that input validation remains a foundational security control whose absence can yield severe outcomes.
The reporting does not provide further technical remediation details or attribution beyond the designation and exploitation status. For operators and stakeholders, the immediate takeaways are the criticality of the flaw, the fact of active exploitation, and the presence of unpatched servers being targeted.
How many unpatched instances remain online, and how quickly they can be identified and secured, will determine whether this episode ends as a contained incident or the start of a wider compromise.
https://thehackernews.com/2026/04/showdoc-rce-flaw-cve-2025-0520-actively.html




