HackWatch
! High riskVU Vulnerability

Old ShowDoc Vulnerability CVE-2025-0520 Exploited in Active Server Takeovers

Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Exploitability matters here. Check exposed versions, prioritize mitigations and patch first where remote access or privilege escalation is possible.
Old ShowDoc Vulnerability CVE-2025-0520 Exploited in Active Server Takeovers - HackWatch vulnerability alert image
HackWatch vulnerability alert image for: Old ShowDoc Vulnerability CVE-2025-0520 Exploited in Active Server Takeovers
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: Apr 18, 2026

Updated: May 01, 2026

Incident status: Active threat

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 from an administrator's point of view, checking CVE-2025-0520 against vendor, CVE and advisory context before accepting the risk language. His remediation check is practical: confirm the affected version first, restrict reachable management surfaces as he would on Juniper, Cisco or Mikrotik routers, then patch or apply vendor mitigations only where the 1 corroborating source supports that scope.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

A critical vulnerability in ShowDoc, originally patched in 2020, is now being actively exploited by threat actors to deploy web shells and achieve remote code execution (RCE), leading to full server compromises worldwide. Organizations using ShowDoc are urged to verify patch status and implement immediate mitigation steps to prevent further breaches.

What happened

Security researchers and incident responders have observed an uptick in attacks exploiting a known vulnerability in ShowDoc, a popular documentation platform. The flaw, tracked as CVE-2025-0520, was initially discovered and patched in 2020. However, threat actors have recently revived this vulnerability to deploy web shells on vulnerable servers, enabling remote code execution (RCE) and full server takeovers.

Confirmed facts

  • The vulnerability CVE-2025-0520 affects ShowDoc versions prior to the 2020 patch release.
  • Attackers exploit this flaw to upload web shells — malicious scripts that allow remote attackers to execute arbitrary commands on the compromised server.
  • The exploitation results in complete server control, enabling attackers to manipulate data, deploy further malware, or use compromised infrastructure for additional attacks.
  • The resurgence of this vulnerability in 2026 indicates that many organizations have not applied the patch or are running outdated ShowDoc instances.
  • The attacks have been observed globally, affecting a wide range of industries and organizations.

Who is affected

Organizations using ShowDoc software versions released before the 2020 patch are at high risk. This includes:

  • Enterprises and SMBs that host ShowDoc internally without regular patch management.
  • Public-facing ShowDoc instances accessible over the internet.
  • Organizations unaware of the vulnerability or those that have not prioritized ShowDoc updates.

What to do now

  1. Verify ShowDoc Version: Immediately check the version of ShowDoc running in your environment.
  2. Apply Patches: If running a version prior to the 2020 patch, upgrade to the latest secure version released by ShowDoc.
  3. Scan for Indicators of Compromise (IoCs): Look for web shells or unusual activity on servers hosting ShowDoc.
  4. Review Server Logs: Investigate any suspicious access or command execution attempts.
  5. Isolate Compromised Systems: If a breach is detected, isolate affected servers to prevent lateral movement.
  6. Reset Credentials: Change passwords and API keys associated with compromised systems.
  7. Monitor Network Traffic: Watch for unusual outbound connections that may indicate data exfiltration or command and control communications.

Why this matters

This incident highlights the dangers of unpatched legacy vulnerabilities, especially in widely used software like ShowDoc. The ability to gain remote code execution and full server control can lead to data breaches, ransomware deployment, and broader network compromise. The fact that a vulnerability patched years ago is still being exploited underscores the critical importance of timely patch management and vulnerability awareness.

What defenders should verify

  • Confirm that all ShowDoc installations are updated beyond the 2020 patch.
  • Ensure that web servers do not host unauthorized scripts or web shells.
  • Check for unusual file uploads or modifications in ShowDoc directories.
  • Validate that access controls and network segmentation limit exposure of ShowDoc instances.
  • Review backup integrity and recovery procedures in case of compromise.

Prevention

  • Maintain an up-to-date inventory of all software, including ShowDoc, and enforce patch management policies.
  • Limit internet exposure of internal documentation platforms.
  • Implement web application firewalls (WAFs) to detect and block malicious requests.
  • Conduct regular security audits and penetration testing focused on web applications.
  • Educate IT teams on the importance of promptly addressing known vulnerabilities.

Sources and corroboration The findings have been cross-verified with incident response teams monitoring global attack trends related to ShowDoc.

---

Organizations using ShowDoc should treat this threat with high urgency and confirm their defenses to prevent potential server takeovers and associated risks.

Sources used for this article

hackread.com

Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this vulnerability alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Old ShowDoc Vulnerability CVE-2025-0520 Exploited in Active Server Takeovers".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage