The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning about a significant security vulnerability in Trimble Cityworks. This GIS-centric asset management software is widely used by municipalities and organizations. The flaw, identified as CVE-2025-0994, is actively exploited in the wild, posing a serious threat to users and their data integrity.
Understanding the Vulnerability
CVE-2025-0994 is a deserialization of untrusted data vulnerability. It has a CVSS v4 score of 8.6, indicating high severity. This flaw allows an authenticated user to execute remote code on a customer’s Microsoft Internet Information Services (IIS) web server. Consequently, such exploitation can lead to severe security breaches, including unauthorized access to sensitive data and disruption of services. Organizations that rely on Cityworks for critical asset management functions should be particularly concerned.
Affected Versions
The vulnerability impacts the following versions of Cityworks:
- Cityworks: All versions prior to 15.8.9
- Cityworks with Office Companion: All versions prior to 23.10
Organizations using these versions face heightened risk and should prioritize addressing this vulnerability.
Patching and Exploitation
Trimble released patches to mitigate this security defect on January 29, 2025. However, CISA reports that attackers actively exploit this vulnerability in real-world attacks. Therefore, users must act swiftly. The agency has noted that attackers seek to exploit this flaw, which could lead to significant operational disruptions and data breaches.
Reports indicate that Trimble has encountered unauthorized attempts to access specific customers’ Cityworks deployments. This highlights the targeted nature of these attacks. Attackers are not only exploiting the vulnerability but also conducting reconnaissance to identify vulnerable systems.
Indicators of Compromise (IoCs)
Trimble has provided indicators of compromise (IoCs) related to this vulnerability. Attackers use these to deploy a Rust-based loader. This loader can launch Cobalt Strike, a well-known penetration testing tool, along with a Go-based remote access tool named VShell and other unidentified payloads. The use of these sophisticated tools shows that attackers employ advanced techniques to maintain control over compromised systems.
Call to Action for Users
As the situation evolves, it remains unclear who orchestrates these attacks or their ultimate objectives. Users operating affected versions of Trimble Cityworks should update their software to the latest versions immediately. Additionally, organizations should review their security protocols and implement monitoring measures to detect any suspicious activity related to this vulnerability.
