Hackers leveraging Trimble Cityworks' vulnerability targeted by cyber-attackers for Remote Code Execution (RCE) as per CISA's alert
A critical security issue has been identified in the popular asset management software, Trimble Cityworks. The vulnerability, tracked as CVE-2025-0994, is a high-severity deserialization vulnerability that allows for remote code execution (RCE) against Microsoft IIS web servers hosting Cityworks. This can lead to service downtime, unauthorized access, and potential network breaches, particularly impacting local governments and public infrastructure entities using this GIS-centric platform.
Currently, the vulnerability is actively exploited in the wild by threat actors, including Chinese cyber espionage groups, to gain unauthorized access to U.S. local government networks and critical infrastructure systems. The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-0994 to its list of known exploited vulnerabilities, underscoring the urgency of mitigation efforts.
Researchers from Symantec have reported the use of various tools in the related threat activity, including Cobalt Strike, GodPotato privilege escalation tool variants, and JavaScript reconnaissance tools. Cobalt Strike is a known offensive cyber operations tool used for initial access, lateral movement, and command and control, while GodPotato is a tool used for privilege escalation. JavaScript reconnaissance tools are used for gathering information about a target system or network.
To address this vulnerability, Trimble has issued a patch for the affected versions of Cityworks. Organizations using Trimble Cityworks are strongly advised to immediately apply the security patches and updates released by Trimble to prevent exploitation. Prompt patching is crucial to minimize the risk of unauthorized access.
In addition to patching, it is recommended to limit authenticated access to the Cityworks IIS server only to trusted users and network segments. Network traffic and logs should be monitored for suspicious activity indicative of exploitation attempts. Strong authentication and network segmentation controls around Cityworks infrastructure can also help reduce risk exposure.
Trimble advises that Internet Information Services should not be run with local or domain level administrative privileges on any site. A document obtained by Cybersecurity Dive details the use of these tools in the threat activity.
In summary, CVE-2025-0994 is actively exploited and poses a significant risk to organizations running Trimble Cityworks. The top priority is to deploy the official patches without delay and strengthen access controls to mitigate further compromise. Organizations are urged to take immediate action to protect their systems and networks.
[1] Cybersecurity Dive. (2023). Trimble Cityworks: New Vulnerability Affects Microsoft IIS Web Servers. Retrieved from https://www.cybersecuritydive.com/news/trimble-cityworks-new-vulnerability-affects-microsoft-iis-web-servers/ [4] Trimble. (2023). Cityworks Security Update. Retrieved from https://www.trimble.com/en/support/cityworks/security-updates
- The current threat landscape indicates that the vulnerability in Trimble Cityworks, CVE-2025-0994, is being actively exploited by cyber espionage groups, highlighting the importance of strengthening cybersecurity, particularly in the technology sector, to protect against unauthorized access and potential network breaches.
- To effectively mitigate the risks associated with the CVE-2025-0994 vulnerability in Trimble Cityworks, organizations are advised to promptly deploy the provided patches, enhance access controls by limiting authenticated access to the Cityworks IIS server, and monitor network traffic and logs for suspicious activities, while also adhering to strong authentication and network segmentation controls.
%20as%20per%20CISA's%20alert){kind=link}