Full Report
Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.
Analysis Summary
# Vulnerability: Remote Code Execution in Cityworks Asset Management System
## CVE Details
- CVE ID: CVE-2025-0994 (Note: The text frequently references CVE-2025-0944 when describing the exploitation; assuming CVE-2025-0994 is the primary target ID based on the initial mention.)
- CVSS Score: N/A (Score not provided in the context)
- CWE: N/A
## Affected Systems
- Products: Cityworks (Asset Management System)
- Versions: Specific vulnerable versions were not detailed, but it affects the application underpinning the intrusions.
- Configurations: Targets IIS web servers hosting the vulnerable Cityworks application.
## Vulnerability Description
The vulnerability is a Remote Code Execution (RCE) flaw within the Cityworks asset management system. Successful exploitation allows an unauthenticated attacker on the network to execute arbitrary operating system commands on the underlying server. The resulting compromise involves reconnaissance (e.g., `ipconfig`, directory enumeration) followed by the rapid deployment of web shells (AntSword, chinatso/Chopper) and custom malware for persistent access.
## Exploitation
- Status: **Exploited in the wild** (Observed by Cisco Talos since January 2025, linked to threat group UAT-6382).
- Complexity: Low (Implied, as exploitation leads to rapid post-compromise activity).
- Attack Vector: Network (Remote exploitation observed).
## Impact
- Confidentiality: High (Implied, due to data staging and exfiltration attempts).
- Integrity: High (Confirmed by web shell and custom malware (Cobalt Strike/VSHell) deployment).
- Availability: Medium (Implied, due to potential system disruption from malware activity).
## Remediation
### Patches
- Specific vendor patch versions were not listed in the source material. Users must consult Trimble/Cityworks advisories (CISA ICSA-25-037-04).
### Workarounds
- Restrict network access to the Cityworks application exposed on IIS servers.
- Monitor for and block outbound connections to known malicious infrastructure.
## Detection
- **Indicators of Compromise (IOCs):**
- **File Hashes (TetraLoader):**
- `14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f`
- `4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9`
- `1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b`
- `1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901`
- **Cobalt Strike Beacon Hash:** `C02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738`
- **Network IOCs (Domains/IPs):**
- `cdn[.]phototagx[.]com`
- `www[.]roomako[.]com`
- `lgaircon[.]xyz`
- `192[.]210[.]239[.]172` (and related ports/paths)
- **Detection Methods and Tools:**
- Monitor for the execution of reconnaissance commands (`cmd.exe /c ipconfig`, `dir c:\inetpub\wwwroot\CityworksServer\WebSite`).
- Deploy Snort rules or equivalent network monitoring to detect traffic to the listed command-and-control domains.
- Look for the deployment of PowerShell commands utilizing `Invoke-WebRequest` from suspicious external IPs (e.g., `192[.]210[.]239[.]172`).
- Scan systems for known web shells (AntSword, Chopper) and Rust-based executables deploying payloads into benign processes like `notepad.exe` (TetraLoader behavior).
## References
- Vendor Advisory (Trimble): hxxps://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-06-docx/0
- CISA Advisory: hxxps://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04
- CVE Record: hxxps://www.cve.org/CVERecord?id=CVE-2025-0994
- IOC Repository: hxxps://github.com/Cisco-Talos/IOCs/tree/main/2025/05