Trimble Cityworks has been reportedly being exploited in the wild for the vulnerability covered under the reference CVE-2025-0994, which has been allocated a CVSS v4 score of 8.6. Trimble Cityworks GIS-centric asset management software is being actively exploited in the wild. The flaw allows for remote code execution because of a deserialization of untrusted data bug being present in the software.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about the security flaw impacting Trimble Cityworks GIS-centric asset management software and stated that the flaw could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server. As per the details known, the weakness affects all versions of Cityworks prior to 15.8.9 and Cityworks with Office companion versions prior to 23.10.
Trimble has acknowledged the attack on a few of its customers, and based on their investigations, the Indicators of compromise (IoCs) depicted that the vulnerability is being exploited to deliver a Rust-based loader that launches a Go-based remote access tool named VShell and Cobalt Strike, among other anonymous payloads.
Trimble, the Colorado-headquartered company, has released patches to address the security defect, and users are advised to update their installations to the latest stable versions and deploy patches as advised to stay safe while also looking out for any presence of released indicators of compromise.
CISA has warned this vulnerability is being exploited in real-world attacks and added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to fix the flaw by February 28, 2025.
