U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Trimble Cityworks vulnerability to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Trimble Cityworks vulnerability, tracked as CVE-2025-0994, to its Known Exploited Vulnerabilities (KEV) catalog.
Trimble Cityworks is a GIS-centric asset management and permitting software designed for local governments, utilities, and public works organizations. It integrates with Esri’s ArcGIS to help manage infrastructure assets, track work orders, and streamline operations.
The vulnerability CVE-2025-0994 (CVSS v4 score of 8.6) is a deserialization of untrusted data issue. An attacker could trigger the flaw to achieve remote code execution.
“Successful exploitation of this vulnerability could allow an authenticated user to perform a remote code execution.” reads the CISA’s advisory. “This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.”
The vulnerability impacts versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10.
Trimble’s advisory includes Indicators of Compromise (IoCs) associated with a campaign exploiting this vulnerability to deploy a Rust-based loader, which launches Cobalt Strike, a Go-based remote access tool (VShell), and other unknown payloads.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by February 28, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA Known Exploited Vulnerabilities catalog)
