The U.S. Cyber Security and Infrastructure Security Agency (CISA) has issued a warning about a security vulnerability in Trimble Cityworks, a GIS-centric asset management software, which is being actively exploited in the wild.
The flaw, identified as CVE-2025-0994 (CVSS v4 score: 8.6), is a deserialisation of untrusted data issue that allows attackers to execute remote code.
“This could enable an authenticated user to carry out a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server,” CISA stated in an advisory dated 6 February 2025.
Affected Versions
The vulnerability impacts the following versions of Cityworks:
- Cityworks (All versions prior to 15.8.9)
- Cityworks with Office Companion (All versions prior to 23.10)
Cyber Security Advisory
Trimble released patches to address this flaw on 29 January 2025. However, CISA has cautioned that the vulnerability is already being weaponised in active cyber attacks.
The Colorado-based company also confirmed reports of “unauthorised attempts to gain access to specific customers’ Cityworks deployments.”
Indicators of compromise (IoCs) shared by Trimble reveal that the flaw is being exploited to deploy a Rust-based loader, which in turn launches Cobalt Strike and a Go-based remote access tool named VShell, among other unidentified payloads.
At this stage, the identity of the attackers and their ultimate objectives remain unknown. Users operating affected versions of Cityworks are urged to promptly update their systems to the latest version for enhanced protection.
Update:
In a related announcement, CISA added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalogue, mandating that Federal Civilian Executive Branch (FCEB) agencies fix the issue by 28 February 2025.
“CISA strongly advises users and administrators to search for indicators of compromise (IoCs) and apply the required updates and workarounds,” the agency stated.