CISA Warns of Active Exploitation in Trimble Cityworks Vulnerability Leading to IIS RCE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software has come under active exploitation in the wild.

The vulnerability in question is CVE-2025-0994 (CVSS v4 score: 8.6), a deserialization of untrusted data bug that could permit an attacker to conduct remote code execution.

“This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server,” CISA said in an advisory dated February 6, 2025.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

The flaw affects the following versions –

• Cityworks (All versions prior to 15.8.9)
• Cityworks with office companion (All versions prior to 23.10)

While Trimble has released patches to address the security defect as of January 29, 2025, CISA has warned that it is being weaponized in real-world attacks.

The Colorado-headquartered company also noted that it has received reports of “unauthorized attempts to gain access to specific customers’ Cityworks deployments.”

Indicators of compromise (IoCs) released by Trimble show that the vulnerability is being exploited to drop a Rust-based loader that launches Cobalt Strike and a Go-based remote access tool named VShell, among other unidentified payloads.

It’s currently not known who is behind the attacks, and what the end goal of the campaign is. Users running affected versions of the software are advised to update their instances to the latest version for optimal protection.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.