Back to Intelligence

CVE-2025-0520: ShowDoc Critical RCE Exploited in the Wild — Detection and Response

SA
Security Arsenal Team
April 16, 2026
6 min read

Introduction

A critical security vulnerability (CVE-2025-0520), actively exploited in the wild, is targeting unpatched instances of ShowDoc, a widely used document management and collaboration service, particularly within the Chinese technology sector. With a CVSS score of 9.4, this flaw allows attackers to achieve unauthenticated Remote Code Execution (RCE) on the underlying server.

Defenders must treat this as an emergency. Successful exploitation typically leads to the deployment of webshells, giving adversaries persistent control over the host to facilitate lateral movement, data exfiltration, or ransomware deployment. If you operate ShowDoc, you are currently in the crosshairs.

Technical Analysis

Affected Products:

  • ShowDoc: All versions prior to the latest vendor patch are presumed vulnerable. This vulnerability is tracked under CVE-2025-0520 and historically referenced as CNVD-2020-26585.

Vulnerability Mechanics: The vulnerability stems from an unrestricted file upload due to improper validation of user-supplied input. The application fails to adequately verify the file type or extension of uploaded content.

  • Attack Chain:
    1. Initial Access: The attacker sends a crafted HTTP POST request to the vulnerable upload endpoint (often identified in past variants as /home/Upload/uploadImg or similar).
    2. Exploitation: The request bypasses weak validation checks, allowing the upload of a malicious script file (e.g., PHP) disguised as a legitimate document image.
    3. Execution: The attacker requests the uploaded file via a browser or tool (e.g., curl). The web server processes the file as executable code rather than static data.
    4. Payload: The code executes with the privileges of the web server user (often www-data), granting the attacker RCE capabilities.

Exploitation Status:

  • Active Exploitation: Confirmed. Threat actors are actively scanning for and exploiting this vulnerability against internet-facing ShowDoc instances.

Detection & Response

Given the active exploitation status, detection must focus on identifying the behavior of the webshell rather than just the upload attempt, as upload mechanisms may vary. We are focusing on the web server process spawning unusual shells and the creation of suspicious script files.

SIGMA Rules

YAML
---
title: ShowDoc Potential Webshell Activity - Linux Web Server Spawning Shell
id: 8c4d2e1f-9a3b-4c5d-8e6f-7a8b9c0d1e2f
status: experimental
description: Detects potential webshell activity by identifying the web server process (nginx/apache/httpd/php-fpm) spawning a shell (sh, bash, perl, python).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-0520
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1190
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - '/nginx'
      - '/apache2'
      - '/httpd'
      - '/php-fpm'
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/dash'
      - '/perl'
      - '/python'
  condition: selection
falsepositives:
  - Legitimate administrative scripts executed by the web server (rare)
level: critical
---
title: ShowDoc Suspicious File Creation in Upload Directories
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the creation of script files (.php, .phtml) within common ShowDoc upload paths, indicative of unrestricted file upload exploitation.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-0520
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: file_event
  product: linux
detection:
  selection:
    TargetFilename|contains:
      - '/public/upload/'
      - '/server/public/'
      - '/showdoc/'
    TargetFilename|endswith:
      - '.php'
      - '.php5'
      - '.phtml'
  condition: selection
falsepositives:
  - Legitimate file uploads if the application allows php uploads (unlikely)
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for ShowDoc webshell activity: Web server process spawning shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~("nginx", "apache2", "httpd", "php-fpm")
| where FileName in~("sh", "bash", "dash", "perl", "python3", "python")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious PHP processes spawned by web server users
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'php.*'
  AND Username =~ 'www-data|nginx|apache'
  AND CommandLine !~ 'fpm'

-- Hunt for recently created PHP files in ShowDoc directories
SELECT FullPath, Size, Mtime, Mode.BitsString
FROM glob(globs='/var/www/html/showdoc/**/*.php', root='/')
WHERE Mtime > now() - 24h

Remediation Script (Bash)

Bash / Shell
#!/bin/bash

# ShowDoc CVE-2025-0520 Emergency Response Script
# Usage: sudo ./remediate_showdoc.sh

echo "[*] Starting ShowDoc Hardening for CVE-2025-0520..."

# 1. Identify ShowDoc Installation (Common paths)
SHOWDOC_PATHS=("/var/www/html/showdoc" "/data/showdoc" "/home/wwwroot/showdoc")
TARGET_PATH=""

for path in "${SHOWDOC_PATHS[@]}"; do
    if [ -d "$path" ]; then
        TARGET_PATH="$path"
        break
    fi
done

if [ -z "$TARGET_PATH" ]; then
    echo "[!] ShowDoc installation directory not found in standard locations. Please manually update the application."
    exit 1
fi

echo "[+] Found ShowDoc at: $TARGET_PATH"

# 2. Check for common Webshell IOCs in upload directories
echo "[*] Scanning for suspicious PHP files in upload directories..."
find "$TARGET_PATH" -type f -name "*.php" -path "*/upload*" -exec ls -la {} \; > /tmp/showdoc_scan.log

if [ -s /tmp/showdoc_scan.log ]; then
    echo "[!] WARNING: Potentially suspicious PHP files found in upload directories. Check /tmp/showdoc_scan.log"
else
    echo "[+] No obvious webshells found in upload folders."
fi

# 3. Enforce permissions on upload directories (Disable execution)
# Note: Adjust the specific upload folder name based on your version structure
UPLOAD_DIR="$TARGET_PATH/public/uploads"
if [ -d "$UPLOAD_DIR" ]; then
    echo "[*] Hardening $UPLOAD_DIR to prevent script execution..."
    chmod -R 755 "$UPLOAD_DIR"
    # Create .htaccess to deny execution if using Apache
    echo "Options -ExecCGI" > "$UPLOAD_DIR/.htaccess"
    echo "AddHandler cgi-script .php .php3 .php4 .php5 .phtml" >> "$UPLOAD_DIR/.htaccess"
    echo "<FilesMatch \"\.(php|php3|php4|php5|phtml)$\">">> "$UPLOAD_DIR/.htaccess"
    echo "  Order Allow,Deny">> "$UPLOAD_DIR/.htaccess"
    echo "  Deny from all">> "$UPLOAD_DIR/.htaccess"
    echo "</FilesMatch>" >> "$UPLOAD_DIR/.htaccess"
    echo "[+] .htaccess restrictions applied."
fi

# 4. Web Server Restart (Optional, to ensure config reloads)
echo "[*] Restarting Web Server (Apache/Nginx)..."
if command -v systemctl &> /dev/null; then
    systemctl restart apache2 2>/dev/null || systemctl restart httpd 2>/dev/null || systemctl restart nginx 2>/dev/null
fi

echo "[+] Remediation steps completed."
echo "[CRITICAL] Please download and apply the official vendor patch for CVE-2025-0520 immediately."

Remediation

1. Immediate Patching: The only complete remediation is to update ShowDoc to the latest version provided by the vendor. This vulnerability stems from a fundamental flaw in input validation logic that cannot be fully mitigated by configuration changes alone.

2. Vendor Advisory: Monitor the official ShowDoc GitHub repository or vendor channels for the security release addressing CVE-2025-0520 / CNVD-2020-26585.

3. Network Segmentation: If patching is delayed, isolate ShowDoc instances from the internet or restrict access strictly to trusted IP addresses via firewall rules (WAF or iptables).

4. WAF Signature: Deploy or update Web Application Firewall (WAF) rules to block HTTP POST requests targeting the specific upload endpoints associated with this vulnerability (e.g., /index.php?s=/home/Upload/uploadImg) and to validate multipart/form-data content strictly.

5. Post-Incident Forensics: If exploitation is suspected, assume full server compromise. Rotate all credentials stored on the ShowDoc server and review logs for evidence of lateral movement.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureshowdoccve-2025-0520rce

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action