Full Report
Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access. [...]
Analysis Summary
This summary is based on the provided context, which *only* indicates that a Cityworks RCE bug is being exploited to breach Microsoft IIS servers. Specific CVEs, versions, CVSS scores, and official patch details are **not present** in the article snippet, so placeholders reflecting the lack of specific data are used.
# Vulnerability: Exploitation of Cityworks RCE targeting Microsoft IIS Servers
## CVE Details
- CVE ID: [Unknown - Must be sourced from vendor/security advisories]
- CVSS Score: [Unknown] ([Unknown])
- CWE: [Likely RCE related, specific CWE unknown]
## Affected Systems
- Products: Cityworks (Application running on Microsoft IIS servers)
- Versions: [Unknown - Requires vendor advisory]
- Configurations: Assumed to affect environments running Cityworks components accessible via IIS.
## Vulnerability Description
The report details active exploitation of a Remote Code Execution (RCE) vulnerability within the Cityworks application. Successful exploitation allows attackers to achieve RCE on the underlying Microsoft IIS servers hosting the application, leading to system compromise.
## Exploitation
- Status: Exploited in the wild (Reported successful breaches)
- Complexity: [Unknown, but successful exploitation implies sufficient complexity for attackers]
- Attack Vector: Network (Remote execution implies network access to the vulnerable Cityworks component)
## Impact
- Confidentiality: High (Full system compromise grants access to sensitive data)
- Integrity: High (Ability to alter system files and data)
- Availability: High (Potential for system downtime or complete takeover)
## Remediation
### Patches
- [Specific patch details require the official Cityworks/Vendor advisory.]
### Workarounds
- [Temporary mitigations are not detailed in the context provided. General advice would be network isolation or disabling the vulnerable component if possible.]
## Detection
- **Indicators of Compromise (IoCs):** Focus on unusual process execution or abnormal activity originating from the IIS worker process (e.g., `w3wp.exe`). Unauthorized outbound network connections from the web server should be treated as suspicious.
- **Detection Methods and Tools:** Monitor web server logs for anomalous requests targeting Cityworks endpoints. Use Endpoint Detection and Response (EDR) solutions to monitor for post-exploitation behaviors such as shell creation or data exfiltration attempts originating from the web server.
## References
- Vendor Advisory: [Not available in context, search for official Cityworks/Esri advisories]
- Relevant links:
- bleepingcomputer com/news/security/hackers-exploit-cityworks-rce-bug-to-breach-microsoft-iis-servers/