HQ/EMEAFind out how we can help your business
Hackers exploit a Trimble Cityworks deserialisation bug to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
The affected entity is a GIS-based asset management and work order management software primarily serving local governments, utilities, and public works agencies. The product enables governments and infrastructure agencies to manage public assets, process work orders, handle permitting and licensing, capital planning, and budgeting, among other functions.
Researchers track the vulnerability in question as CVE-2025-0994. This flaw is classified as highly severe and has a CVSS v4.0 score of 8.6 out of 10. The bug is a deserialisation issue that enables authenticated users to launch RCE attacks against a customer’s Microsoft Internet Information Services (IIS) servers.
On the other hand, the product bender claims that it has already analysed customer reports of hackers using the issue to gain unauthorised access to client networks, indicating that exploitation is taking place.
The exploitation of the Trimble Cityworks bug allows hackers to breach networks.
CISA has also issued a similar advisory about the Cityworks bug, urging clients to defend their networks against threats promptly. Reports revealed that the CVE-2025-0994 vulnerability affects Cityworks versions prior to 15.8.9 and Cityworks with Office Companion versions before 23.10.
The latest versions, 15.8.9 and 23.10, were released last month. Administrators who manage on-premise deployments must apply the security update ASAP, whereas cloud-hosted instances (CWOL) will receive it automatically.
Trimble reports that some on-premises deployments may have overprivileged IIS identity rights and warns that they should not be executed with local or domain-level administrative access.
Furthermore, some deployments contain flawed attachment directory configurations. The provider advises that attachment root folders include only attachments. Once all three actions have been completed, customers can resume normal operations with Cityworks.
While CISA has not disclosed how the bug is exploited, Trimble has revealed IoCs for attacks that leverage the vulnerability. These indicators of compromise show that the threat actors used several remote access methods, including WinPutty and Cobalt Strike beacons.
Lastly, Microsoft released an advisory earlier this week that threat actors are penetrating IIS servers to spread malware via ViewState code injection attacks via ASP.NET machine keys available online.
