Vulnerability Management, Patch/Configuration Management, Critical Infrastructure Security, Threat Intelligence

CISA warns Trimble Cityworks customers of actively exploited RCE flaw

(Credit: monticellllo – stock.adobe.com)

(Credit: monticellllo – stock.adobe.com)

A Trimble Cityworks vulnerability that could lead to remote code execution (RCE) is being actively exploited in the wild, the Cybersecurity & Infrastructure Security Agency (CISA) warned in an advisory Thursday.

Trimble Cityworks is an asset and work management system designed for public infrastructure organizations such as local governments and utilities providers.

Exploitation of the vulnerability, which is tracked as CVE-2025-0994, could lead to RCE on the Microsoft Internet Information Services (IIS) web server on which Cityworks is running.

CVE-2025-0994 has a high CVSS v4 score of 8.6 and enables an authorized attacker to execute arbitrary code on the IIS server due to deserialization of untrusted data.

The flaw affects all Trimble Cityworks versions prior to 15.8.9, released Jan. 28, 2025, and all versions of Cityworks with office companion prior to 23.10, released Jan. 29, 2025.

On-premises instances should be updated immediately to resolve the flaw, according to Trimble, while Cityworks Online (CWOL) deployments have been automatically patched.

Trimble reported that attackers have been attempting to exploit the vulnerability, and published a list of indicators of compromise (IOC), revealing that attackers attempted to leverage the flaw to deploy payloads including obfuscated JavaScript code, a custom Rust loader used to load Cobalt Strike, and various other malicious executable and binaries.

In addition to immediate patching, Trimble recommended users ensure their on-premises deployments of Cityworks do not have excessive IIS identity privileges.

“For avoidance of doubt, and in accordance with our technical documentation, IIS should not be run with local or domain level administrative privileges on any site,” Trimble stated in its advisory.

Trimble also noted that customers should ensure their deployments have appropriate attachment directory configurations, stating that attachment directory root configurations should be limited to folders and subfolders that only contain attachments.

While Trimble Cityworks is used in the management of public and industrial assets, and its exploitation poses a risk to critical infrastructure IT systems, it cannot control industrial processes and is not a direct part of an industrial control system (ICS), CISA noted.

Related

Actively exploited iOS, iPadOS zero-day addressed

Such a vulnerability — which was discovered and reported by the University of Toronto Munk School of Global Affairs' The Citizen Lab — affects iPhone XS and later, iPad 7th generation and later, iPad mini 5th generation and later, all iPad Pro 11-inch generations, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd gen and later, and iPad Air 3rd generation and later.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BackdoorBlack HatBusiness Email Compromise (BEC)Covert ChannelsDNS SpoofingDeepfakeDefacementDisruptionDistributed ScansDumpSec

You can skip this ad in 5 seconds