Full Report
Learn about CVE-2025-0994 affecting Trimble Cityworks products. Patch now to prevent remote code execution.
Analysis Summary
# Vulnerability: Remote Code Execution in Trimble Cityworks via Deserialization
## CVE Details
- CVE ID: CVE-2025-0994
- CVSS Score: (Implied High Severity - Exact Score not provided)
- CWE: Deserialization Vulnerability
## Affected Systems
- Products: Trimble Cityworks, Cityworks with Office Companion
- Versions: Cityworks versions **before 15.8.9**, Cityworks with Office Companion versions **before 23.10**
- Configurations: Affects instances running the asset management and work order software, often exposed to the internet.
## Vulnerability Description
CVE-2025-0994 is a high-severity deserialization vulnerability present in Trimble Cityworks. Successful exploitation allows an authenticated attacker to achieve **Remote Code Execution (RCE)** against the target's Microsoft Internet Information Services (IIS) web server.
## Exploitation
- Status: **Active Exploitation** (Reported exploitation in the wild)
- Complexity: (Not explicitly stated, but RCE against critical infrastructure implies low to medium effort for an authenticated attacker)
- Attack Vector: Network (due to RCE against a web server)
### Impact (Inferred from RCE)
- Confidentiality: High (Potential data theft)
- Integrity: High (Ability to modify system files/settings)
- Availability: High (System compromise leading to downtime)
## Remediation
### Patches
- Upgrade Trimble Cityworks to version **15.8.9 or later**.
- Upgrade Cityworks with Office Companion to version **23.10 or later**.
### Workarounds
None explicitly listed, however, CISA recommends immediate mitigation actions or discontinuation of the product if mitigations are unavailable, highlighting the criticality.
## Detection
Observed exploitation leveraged custom **Rust-based loaders** to inject **VShell** and **Cobalt Strike** into memory.
**Indicators of Compromise (IoCs) include:**
- **File Hashes (SHA-256):** (See Table 1 in source for full list)
- `4b7561e27c87a1895446d7f2b83e2d9fcf71e6d6e8bc99d44818dc39a6ff99d5` (Obfuscated JavaScript payload)
- `883d849b94238c26c57c0595ccb95b8c356628887b9a3628bf56e726332af925` (Cobalt Strike loader)
- Files stored in `%TEMP%`, including randomized alphanumeric executables (e.g., `fq1u4t83.exe`) and files masquerading as legitimate services (`winpty.dll`, `winpty-agent.exe`).
- **C2 Infrastructure:**
- IP Addresses: `192.210.239.172` (Ports 3219, 4219)
- Domains: `cdn.phototagx.com`, `ifode.xyz`
- URLs suggestive of Cobalt Strike beacons.
**Detection Methods:**
- Use the Nuclei template provided by Insikt Group to test instances prior to patching.
- Monitor for suspicious processes starting in the `%TEMP%` directory or executables downloaded via C2 protocols.
## References
- Vendor Advisory (Link not provided directly, referenced via Trimble communication)
- CISA Known Exploited Vulnerabilities Catalog
- Recorded Future Blog: hXXps://www[.]recordedfuture[.]com/blog (Search for CVE-2025-0994)