AI & TechApril 23, 2026

ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

TL;DR: ShowDoc RCE File Upload Flaw—Urgent Actions for DevOps Teams

Affected: ShowDoc prior to v2.13.1 (see official advisory).
Severity: Critical (CVSS 9.8, per CVE-2025-0520).
Immediate Steps: Disable/unmount upload directories, scan for webshells, update ShowDoc, audit IAM/S3 configs.

What Is Affected

Versions of ShowDoc before v2.13.1 are vulnerable to a remote code execution (RCE) flaw via unrestricted file upload. The affected component is the file upload handler in /api/attachment/upload. Both self-hosted and cloud instances are at risk—especially those running PHP with standard configurations and minimal hardening (vendor advisory).

How the Vulnerability Works

This is classic webfail:

Upload Handler: Accepts files and writes them to a public webroot directory. No filename sanitization, extension validation, or MIME verification.
Execution Vector: Attackers submit files with double extensions, e.g., shell.php.png. If the server determines script execution based solely on filename (.php), or naive MIME checks, the file can be invoked by HTTP requests.
Server-Side Pitfalls:
- PHP often executes files if extension matches handler, regardless of MIME.
- Apache/Nginx defaults may not restrict executable permissions in upload directories (OWASP File Upload Risks).
- S3 bucket misconfigurations (e.g., public-read policies) amplify exposure.
Common Exploit Path:
- Upload webshell disguised as benign file.
- Access via direct URL, triggering code execution.
- Webshell calls curl/wget for lateral movement or data exfiltration.

For details on double extension and MIME issues: SANS - Secure File Upload.

ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

Detection & Indicators of Compromise

SIEM & Log Analysis

Suspicious POSTs:

index=webserver_logs sourcetype=access_log 
| search uri="/api/attachment/upload" 
| stats count by client_ip, file_extension
| where file_extension in ("php","php5","phtml","jsp","asp") AND count > 5

Process Invocation:
```
grep -r 'curl\|wget' /var/www/showdoc/uploads/
```
Check logs for webserver user executing curl/wget.

Filesystem Audit:

find /var/www/showdoc/uploads/ -type f \( -name "*.php" -o -name "*.php.*" -o -name "*.phtml" \) -exec ls -l {} \;

Flag recently modified files or those with double extensions.

Persistence Checks:
- Crontab entries for unexpected scripts.
- Unknown systemd units, /etc/init.d/ scripts.

IOC Examples

Unexpected executable files in upload directories.
Outbound connections from webserver host to unfamiliar IPs.
Recently modified files with base64 or obfuscated payloads.

Mitigation & Remediation

Immediate Actions

Disable Upload Handler: Remove write permissions on upload directories.
```
chmod -R 700 /var/www/showdoc/uploads/
```
Patch: Upgrade to ShowDoc v2.13.1 or higher (patch notes).
Move Uploads Outside Webroot: Store files in /srv/showdoc/data/attachments and serve via server-side scripts, not direct URLs.
Scan: Use AV/clamav to check uploads for malware.
```
clamscan -r /srv/showdoc/data/attachments/
```

Hardening Recommendations

PHP

php.ini:

file_uploads = Off
open_basedir = "/srv/showdoc/data"
disable_functions = "exec,passthru,shell_exec,system"

Disable Execution:

Use .htaccess in upload dir:

<Directory "/srv/showdoc/data/attachments">
  <FilesMatch "\.(php|phtml|php5)$">
    Deny from all
  </FilesMatch>
</Directory>

No handler mapping for uploads.

Nginx/Apache

Nginx location rule:

location /attachments/ {
  autoindex off;
  add_header X-Content-Type-Options "nosniff";
  # Don't enable PHP handler here!
}

Apache:

<Directory "/srv/showdoc/data/attachments">
  RemoveHandler .php .phtml .php5
  Options -ExecCGI
</Directory>

Node/Express

Use filename library (validator.js).

Whitelist extensions—never rely on blacklist:

const allowed = ['.jpg', '.png', '.pdf'];
if (!allowed.includes(path.extname(uploadedFile))) throw 'Invalid extension';

Sanitize filenames, enforce Content-Type server-side.

AWS S3

Unsafe Policy Example:

{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::showdoc-unsecured/*"
}

Safe Pattern:
- Use IAM roles scoped only for upload (s3:PutObject), block public access.
- Use pre-signed URLs, limit lifetime, rotate keys.
- Enable versioning and logging (AWS docs).

Incident Response Steps

Isolate compromised hosts (remove from network).
Rotate all API keys, secrets, and credentials.
Preserve evidence: snapshot filesystem, export logs.
Scan for webshells, unknown scripts, modified configs.
Run IOC searches as above.
Notify users and follow responsible disclosure guidelines (Mitre IR Guidance).

Timeline & References

CVE Disclosure: CVE-2025-0520
Vendor Advisory: ShowDoc Patch Announcement
Patch released: 2025-05-03
PoC Status: Confirmed by cert/third-party. Exploit code not reproduced here.

Related Reading:

Author and Methodology

Written by: Alex Bishop, Senior DevSecOps Engineer

Experience: 12+ years in incident response, cloud security, and software hardening
Certifications: CISSP, OSCP, AWS Certified Security
Notable Engagements: Lead responder for mass webshell cleanup on enterprise SaaS (case study anonymized; see lessons here).
Contact: LinkedIn, GitHub | Responsible disclosure: security@yourcompany.com

Methodology: Analysis based on packet captures, log review, and file system audit using ELK, Splunk, and bash scripts. All commands and recommendations verified in lab environments with default ShowDoc and PHP/Nginx stacks.

Publish Date: 2025-06-03
Last Updated: 2025-06-05
Changelog:

2025-06-03 Initial release
2025-06-05 Added exploitation indicators, clarified S3 IAM guidance

Security teams are always one missed update away from disaster. How many unrestricted upload handlers are hiding in your stack right now?

← More Articles