A critical remote code execution vulnerability, identified as CVE-2025-0520, is being actively exploited in unpatched ShowDoc servers, posing a significant threat to organizations relying on this collaboration tool. The flaw, which carries a CVSS score of 9.4, allows attackers to upload files without authentication, enabling the deployment of web shells and execution of malicious code on vulnerable servers. ShowDoc versions prior to 2.8.7 are affected, while the issue was addressed in version 2.8.7, released on October 20. Attackers are targeting these unpatched servers, increasing the risk of compromise1. This vulnerability expands the active attack surface, making it essential for practitioners to prioritize patching based on their exposure and existing exploitation evidence. The exploitation of CVE-2025-0520 underscores the importance of prompt patch management to prevent potential breaches, so it is crucial for organizations to assess their vulnerability and apply the necessary updates to mitigate this risk.