The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has warned {that a} safety flaw impacting Trimble Cityworks GIS-centric asset administration software program has come beneath lively exploitation within the wild.
The vulnerability in query is CVE-2025-0994 (CVSS v4 rating: 8.6), a deserialization of untrusted knowledge bug that might allow an attacker to conduct distant code execution.
“This might permit an authenticated person to carry out a distant code execution assault in opposition to a buyer’s Microsoft Web Info Companies (IIS) internet server,” CISA mentioned in an advisory dated February 6, 2025.
The flaw impacts the next variations –
- Cityworks (All variations prior to fifteen.8.9)
- Cityworks with workplace companion (All variations previous to 23.10)
Whereas Trimble has launched patches to deal with the safety defect as of January 29, 2025, CISA has warned that it’s being weaponized in real-world assaults.
The Colorado-headquartered firm additionally famous that it has obtained reviews of “unauthorized makes an attempt to realize entry to particular prospects’ Cityworks deployments.”
Indicators of compromise (IoCs) launched by Trimble present that the vulnerability is being exploited to drop a Rust-based loader that launches Cobalt Strike and a Go-based distant entry instrument named VShell, amongst different unidentified payloads.
It is presently not identified who’s behind the assaults, and what the top objective of the marketing campaign is. Customers operating affected variations of the software program are suggested to replace their cases to the newest model for optimum safety.
Replace
In a separate bulletin, CISA added CVE-2025-0994 to its Identified Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) companies to remediate the flaw by February 28, 2025.
“CISA strongly encourages customers and directors to seek for indicators of compromise (IOCs) and apply the required updates and workarounds,” the company mentioned.
