Trimble Cityworks Vulnerability: A Deserialization of Untrusted Data Bug

February 7, 2025

The Hacker News

U.S. Cybersecurity and Infrastructure Security Agency (CISA) Warns of Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that a security flaw in Trimble’s Cityworks GIS-centric asset management software is being actively exploited in the wild. The vulnerability, identified as CVE-2025-0994 (CVSS v4 score: 8.6), is a deserialization of untrusted data bug that could permit an attacker to conduct remote code execution.

Impact and Affected Versions

CISA has stated that this vulnerability could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server. The affected versions of Cityworks include:

• All versions prior to 15.8.9
• Cityworks with office companion (All versions prior to 23.10)

Patches and Recommendations

Trimble has released patches to address the security defect as of January 29, 2025. CISA has warned that the vulnerability is being weaponized in real-world attacks, and users running affected versions of the software are advised to update their instances to the latest version for optimal protection.

Indicators of Compromise (IoCs)

Trimble has released indicators of compromise (IoCs) that show the vulnerability is being exploited to drop a Rust-based loader that launches Cobalt Strike and a Go-based remote access tool named VShell, among other unidentified payloads.

Current Status and Next Steps

It is currently not known who is behind the attacks, and what the end goal of the campaign is. Users running affected versions of the software are advised to update their instances to the latest version for optimal protection.

Stay Informed

Follow us on Twitter and LinkedIn to read more exclusive content we post.

About The Hacker News

This article is a contributed piece from one of our valued partners.