Trimble and CISA report active exploitation of their Cityworks platform

Trimble and CISA are reporting an actively exploited vulnerability in their Cityworks asset and work management system, primarily used by local governments, utilities, and public works organizations for managing public assets, work orders, permitting, licensing, and capital planning.

The vulnerability is tracked as CVE-2025-0994 (CVSS v4.0 score: 8.6), which is a deserialization vulnerability that enables authenticated users to perform remote code execution (RCE) attacks against customer Microsoft Internet Information Services (IIS) servers. Trimble has confirmed active exploitation of this vulnerability based on customer reports of unauthorized network access.

Affected Products:

• Cityworks: All versions prior to 15.8.9
• Cityworks with office companion: All versions prior to 23.10

Threat actors have been observed exploiting this vulnerability to deploy Cobalt Strike beacons for initial network access, install WinPutty for remote access capabilities and eecute unauthorized commands on IIS servers

Trimble released patches on January 28 and 29, 2025, with versions 15.8.9 and 23.10 respectively Cityworks Support Portal (Login required). Cloud-hosted instances (CWOL) will receive automatic updates, while on-premise deployments require immediate manual patching.

The company has identified two common misconfigurations that increase risk:

1. Overprivileged IIS identity permissions, where servers are incorrectly running with local or domain-level administrative privileges
2. Improper attachment directory configurations that extend beyond the necessary attachment-only folders

Users should immediately update to the latest version (15.8.9 or 23.10), review and correct IIS identity permissions to remove administrative privileges, restrict attachment directory root configurations to folders containing only attachments.