A zero-day vulnerability has been discovered in Trimble Cityworks, enabling remote code execution (RCE) on Microsoft IIS web servers. According to CISA, the flaw is already being actively exploited in real-world attacks.
Cityworks is a GIS-driven asset management solution widely used by municipal authorities, airports, utility providers, and various infrastructure organizations. Given its global adoption, the platform presents an attractive target for cybercriminals.
Exploitation of CVE-2025-0994 (CVSS score: 8.6) allows an attacker with a valid Cityworks account to gain full control over the host server. The vulnerability arises from insecure deserialization of untrusted data (CWE-502) and affects all versions of Cityworks prior to 15.8.9, as well as Cityworks with Office Companion versions before 23.10.
Although CISA has issued an advisory regarding industrial sector attacks, the report clarifies that Cityworks does not directly control industrial processes, excluding it from ICS system classification. However, Trimble has confirmed that threat actors leveraged CVE-2025-0994 to deploy Cobalt Strike and other undisclosed malware strains, indicating a highly targeted campaign against specific organizations.
The identity of the threat actors remains unknown. However, Trimble has received reports of unauthorized access attempts against specific Cityworks deployments. Given the profile of the software’s user base, security analysts speculate that critical infrastructure entities may have been the primary targets.
Trimble has released patches for Cityworks 15.8.9 and Cityworks 23.10. Cloud-based Cityworks Online users will receive updates automatically, while on-premise deployments are strongly advised to apply the fixes manually.
Additionally, IIS permissions should be reviewed, as overly permissive configurations could exacerbate the risk of exploitation.
CISA reiterates a set of best-practice security measures, including:
- Validating attachment directory configurations to prevent unauthorized access.
- Minimizing IIS permissions to reduce the attack surface.
- Deploying patches promptly to mitigate the threat.
The agency also urges organizations to adopt a defense-in-depth strategy and implement intrusion detection mechanisms to enhance cyber resilience.
Cybersecurity experts strongly recommend that Trimble Cityworks users apply security updates without delay and review system logs for any anomalous activity. In the event of suspicious findings, organizations should follow internal security protocols and report incidents to CISA.
