Deserialization Vulnerability in Trimble Cityworks Affecting IIS Web Servers
CVE-2025-0994
Key Information:
- Vendor
Trimble
- Vendor
- CVE Published:
- 6 February 2025
Badges
What is CVE-2025-0994?
CVE-2025-0994 is a deserialization vulnerability found in Trimble Cityworks, a software application designed to manage infrastructure assets and resources. This vulnerability impacts versions prior to 15.8.9 of Cityworks and earlier versions of its Office Companion. It poses a significant risk as it allows authenticated users to execute remote code on a customer's Microsoft Internet Information Services (IIS) web server, which could lead to unauthorized control of critical infrastructure systems and data processing.
Technical Details
The vulnerability arises from improper handling of data during the deserialization process, which can be exploited by attackers who have authenticated access to the system. By manipulating the deserialized data, an attacker could gain the ability to execute arbitrary code on the server, potentially leading to a full system compromise. Given that the affected software is commonly used in governmental and municipal operations, the implications of such a breach can be extensive.
Potential impact of CVE-2025-0994
-
Remote Code Execution: The ability for an authenticated user to execute arbitrary code poses a severe risk, as it could allow attackers to take complete control of the server, leading to potential data breaches and unauthorized access to sensitive information.
-
Disruption of Services: Successful exploitation could incapacitate the affected IIS web servers, resulting in downtime for services reliant on Trimble Cityworks, thereby disrupting critical municipal operations and services.
-
Compromise of Sensitive Data: Given the nature of Cityworks, which often handles sensitive infrastructure and civic data, successful attacks could lead to exposure or manipulation of sensitive information, threatening both public safety and organizational integrity.
CISA has reported CVE-2025-0994
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-0994 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Cityworks 0 < 15.8.9
Cityworks (with office companion) 0 < 23.10
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Chinese hackers breach US local governments using Cityworks zero-day
Chinese-speaking hackers have exploited a now-patched Trimble Cityworks zero-day to breach multiple local governing bodies across the United States.
9 hours ago
Trimble Cityworks: CVE-2025-0994: Active Exploitation
Learn about CVE-2025-0994 affecting Trimble Cityworks products. Patch now to prevent remote code execution.
Techzine EuropeCVE-2025-0994Vulnerability in Cityworks leads to Microsoft IIS attacks
Trimble warns of a critical Cityworks vulnerability (CVE-2025-0994) and recommends quick updates and security measures.
References
EPSS Score
73% chance of being exploited in the next 30 days.
CVSS V4
Timeline
- 🟡
Public PoC available
- 🦅
CISA Reported
- 📰
First article discovered by SecurityWeek
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved