Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding an actively exploited security vulnerability in Trimble Cityworks, a widely used GIS-centric asset management software. This critical flaw, identified as CVE-2025-0994, carries a CVSS v4 score of 8.6, underscoring its severity. The vulnerability arises from the deserialization of untrusted data, enabling potential remote code execution (RCE) attacks.
The Vulnerability
According to CISA’s advisory dated February 6, 2025, CVE-2025-0994 can be exploited by an authenticated attacker to execute arbitrary code on a victim’s Microsoft Internet Information Services (IIS) web server. This deserialization flaw affects:
Cityworks (All versions prior to 15.8.9)
Cityworks with Office Companion (All versions prior to 23.10)
Trimble, the Colorado-based software provider, has confirmed the existence of the flaw and released security patches on January 29, 2025. Despite these patches, attackers have already weaponized the vulnerability in real-world attacks, emphasizing the urgency for organizations to act swiftly.
Active Exploitation in the Wild
CISA’s alert highlights that malicious actors are actively targeting vulnerable Cityworks deployments. Trimble has reported receiving credible information about unauthorized access attempts directed at specific customer environments. These intrusions are not speculative; they are part of an ongoing campaign exploiting the CVE-2025-0994 vulnerability.
Indicators of Compromise (IoCs) provided by Trimble reveal that attackers are using the flaw to deploy a range of malicious tools, including:
Rust-Based Loader: A sophisticated malware loader that facilitates the delivery of additional payloads.
Cobalt Strike: A legitimate penetration testing tool often repurposed by threat actors for command-and-control (C2) operations.
VShell (Go-Based Remote Access Tool): A custom remote access tool (RAT) designed to provide persistent access to compromised systems.
The full scope of the campaign remains unclear, including the identity of the threat actors and their ultimate objectives. However, the deployment of advanced tools like Cobalt Strike suggests that the attackers may have significant technical capabilities, possibly linked to cybercrime syndicates or nation-state actors.
Potential Impact on Critical Infrastructure
Cityworks is extensively used by municipalities, utilities, and other critical infrastructure sectors to manage assets, workflows, and public services. A successful exploitation of this vulnerability could lead to:
Data Breaches: Unauthorized access to sensitive data, including municipal records and infrastructure blueprints.
Service Disruptions: Potential downtime of critical public services managed through Cityworks.
Lateral Movement: Attackers could leverage compromised IIS servers to move laterally within an organization’s network, targeting other high-value systems.
CISA’s Recommendations
CISA urges all organizations using Trimble Cityworks to take immediate action to mitigate the risk posed by CVE-2025-0994. Recommended steps include:
Apply Security Patches: Ensure that Cityworks is updated to version 15.8.9 or later, and Cityworks with Office Companion is updated to version 23.10 or newer.
Review Security Logs: Examine IIS server logs for any signs of suspicious activity, particularly anomalies related to deserialization processes.
Implement Network Segmentation: Isolate Cityworks servers from other critical systems to limit potential lateral movement in case of a breach.
Enhance Monitoring: Deploy advanced threat detection tools capable of identifying Cobalt Strike beacons and unusual outbound traffic patterns associated with VShell.
Incident Response Preparedness: Organizations should review and update their incident response plans to ensure readiness in the event of a compromise.
Indicators of Compromise (IoCs)
Trimble has shared IoCs to help organizations identify potential breaches:
File Hashes: Related to Rust-based loaders and VShell payloads.
Network Indicators: C2 domains and IP addresses linked to attacker infrastructure.
Behavioral Patterns: Signs of unauthorized IIS modifications or unexpected system processes.
Security teams are advised to integrate these IoCs into their monitoring systems and conduct thorough threat-hunting exercises.
The Bigger Picture: A Wake-Up Call for Asset Management Security
The active exploitation of CVE-2025-0994 is a stark reminder of the cybersecurity risks facing asset management platforms. As these systems increasingly integrate with critical infrastructure, they become attractive targets for both financially motivated attackers and nation-state actors.
Organizations must adopt a proactive cybersecurity posture, emphasizing:
Regular Vulnerability Assessments: Continuous scanning and patch management to identify and remediate vulnerabilities promptly.
Zero Trust Architecture: Minimizing implicit trust within networks to reduce the attack surface.
Security Awareness Training: Educating staff on recognizing phishing attempts and other social engineering tactics that could lead to initial access.
Conclusion
The CVE-2025-0994 vulnerability in Trimble Cityworks represents a significant threat, with active exploitation campaigns already underway. While patches are available, the window for remediation is closing rapidly as attackers capitalize on unpatched systems.
Organizations must act immediately to secure their environments, leveraging CISA’s guidance and adopting robust cybersecurity practices. Failure to do so could result in severe operational, financial, and reputational damage.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Critical Veeam Flaw Exposes Backup Systems to Remote Code Execution