Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0994 (CVSS v4 score: 8.6), a deserialization of untrusted data bug that could permit an attacker to conduct remote code execution. "This could
Analysis Summary
# Vulnerability: Active Exploitation of Trimble Cityworks Deserialization Flaw
## CVE Details
- CVE ID: CVE-2025-0994
- CVSS Score: 8.6 (High - based on CVSS v4 mentioned in the text)
- CWE: Deserialization of Untrusted Data
## Affected Systems
- Products: Trimble Cityworks GIS-centric asset management software
- Versions:
- Cityworks: All versions prior to 15.8.9
- Cityworks with office companion: All versions prior to 23.10
- Configurations: The vulnerability allows an *authenticated user* to exploit the flaw against a customer's Microsoft Internet Information Services (IIS) web server.
## Vulnerability Description
The vulnerability is a deserialization of untrusted data bug. Successful exploitation by an authenticated user can lead to Remote Code Execution (RCE) against the target customer's Microsoft IIS web server hosting the Cityworks deployment.
## Exploitation
- Status: Actively exploited in the wild (CISA warning)
- Complexity: Not explicitly stated, but RCE generally implies medium to high complexity depending on the specific attack path. The requirement for *authentication* suggests complexity may be elevated beyond unauthenticated RCE.
- Attack Vector: Exploitation occurs over the network against the web server.
## Impact
- Confidentiality: High (Implied by RCE)
- Integrity: High (Implied by RCE)
- Availability: High (Implied by RCE)
## Remediation
### Patches
- Trimble released patches on January 29, 2025. Users should update to versions:
- Cityworks **15.8.9 or later**
- Cityworks with office companion **23.10 or later**
### Workarounds
- No specific workarounds were detailed in the provided text, but immediate patching is strongly advised due to active exploitation.
## Detection
- **Indicators of Compromise (IoCs):** The active exploitation observed drops payloads including:
- A Rust-based loader that subsequently launches **Cobalt Strike**.
- A Go-based Remote Access Tool (RAT) named **VShell**.
- **Detection methods and tools:** Organizations should monitor their IIS web servers and network traffic for signs of these known payloads being downloaded or executed, as well as any unusual execution chains originating from the Cityworks application process.
## References
- CISA ICS Advisory: hxxps://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04
- Trimble Customer Communication (IoCs Released): hxxps://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-06-docx/0?