Deserialization Vulnerability in Trimble Cityworks Affecting IIS Web Servers
CVE-2025-0994
Key Information:
- Vendor
Trimble
- Vendor
- CVE Published:
- 6 February 2025
Badges
What is CVE-2025-0994?
CVE-2025-0994 is a deserialization vulnerability found in Trimble Cityworks, a software application designed to manage infrastructure assets and resources. This vulnerability impacts versions prior to 15.8.9 of Cityworks and earlier versions of its Office Companion. It poses a significant risk as it allows authenticated users to execute remote code on a customer's Microsoft Internet Information Services (IIS) web server, which could lead to unauthorized control of critical infrastructure systems and data processing.
Technical Details
The vulnerability arises from improper handling of data during the deserialization process, which can be exploited by attackers who have authenticated access to the system. By manipulating the deserialized data, an attacker could gain the ability to execute arbitrary code on the server, potentially leading to a full system compromise. Given that the affected software is commonly used in governmental and municipal operations, the implications of such a breach can be extensive.
Potential impact of CVE-2025-0994
-
Remote Code Execution: The ability for an authenticated user to execute arbitrary code poses a severe risk, as it could allow attackers to take complete control of the server, leading to potential data breaches and unauthorized access to sensitive information.
-
Disruption of Services: Successful exploitation could incapacitate the affected IIS web servers, resulting in downtime for services reliant on Trimble Cityworks, thereby disrupting critical municipal operations and services.
-
Compromise of Sensitive Data: Given the nature of Cityworks, which often handles sensitive infrastructure and civic data, successful attacks could lead to exposure or manipulation of sensitive information, threatening both public safety and organizational integrity.
CISA has reported CVE-2025-0994
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-0994 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Cityworks 0 < 15.8.9
Cityworks (with office companion) 0 < 23.10
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CISA (.gov)CVE-2025-0994CISA Adds One Known Exploited Vulnerability to Catalog | CISA
CISA has added one vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-0994(link is external) Trimble Cityworks Deserialization...
1 month ago
Chinese-speaking hackers targeting US municipalities with Cityworks bug
Since January, cybersecurity experts have seen Chinese-speaking hackers exploiting a bug impacting a tool used by local governments to manage critical infrastructure assets and other services.
1 month ago
CISA (.gov)CVE-2025-0994Trimble Releases Security Updates to Address a Vulnerability in Cityworks Software | CISA
CISA is collaborating with private industry partners to respond to reports of exploitation of a vulnerability (CVE-2025-0994) discovered by Trimble impacting its Cityworks Server AMS (Asset Management...
1 month ago
References
EPSS Score
68% chance of being exploited in the next 30 days.
CVSS V4
Timeline
- 💰
Used in Ransomware
- 🟡
Public PoC available
- 🦅
CISA Reported
- 📰
First article discovered by SecurityWeek
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved