The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical vulnerability in Trimble’s Cityworks software for geographic information systems (GIS). This vulnerability, identified as CVE-2025-0994, is currently under active exploitation, posing significant risk to its users.
CVE-2025-0994 carries a CVSS v4 score of 8.6, indicating a high level of severity. It is classified as a deserialization issue involving untrusted data, which could potentially allow an authenticated user to execute arbitrary code on a customer’s Microsoft Internet Information Services (IIS) web server. CISA provided this information in an advisory released on February 6, 2025.
The vulnerability impacts all versions of Cityworks prior to 15.8.9 and Cityworks with Office Companion prior to version 23.10. Consequently, organizations still operating these outdated versions are highly encouraged to update their software to mitigate potential threats.
Despite the availability of patches released on January 29, 2025, CISA reports that this flaw is being utilized in real-world attacks. Trimble has received communications indicating unauthorized attempts to access select customers’ Cityworks deployments, highlighting the urgency for affected organizations to act swiftly.
Indicators of compromise (IoCs) disclosed by Trimble reveal that attackers are exploiting the vulnerability to deploy a Rust-based loader, triggering Cobalt Strike, as well as a remote access tool known as VShell. Additional unknown payloads may also be leveraged during these attacks, complicating the landscape for targeted organizations.
The attackers’ identity and long-term intentions remain undetermined, but given the nature of the exploitation, methods consistent with initial access and persistence techniques from the MITRE ATT&CK framework may have been employed. Organizations are urged to adopt a proactive stance by searching for IoCs and implementing the provided updates without delay.
CVE-2025-0994 Included in KEV Catalog
In a related development, CISA has added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog, which mandates Federal Civilian Executive Branch (FCEB) agencies to address the flaw by February 28, 2025. CISA has reinforced the need for users and administrators to diligently monitor for IoCs while applying critical updates and workarounds to safeguard their systems.
Vulnerabilities in Cityworks Instances
Censys, an attack surface management platform, reports that there are 335 Trimble Cityworks instances exposed to the internet, with approximately 91% located within the United States. Alarmingly, 108 of these instances are running versions vulnerable to CVE-2025-0994, underscoring the potential for widespread exploitation.
