CISA Warns of Active Exploits Targeting Trimble Cityworks Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software has come under active exploitation in the wild.
The vulnerability in question is CVE-2025-0994 (CVSS v4 score: 8.6), a deserialization of untrusted data bug that could permit an attacker to conduct remote code execution.
"This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server," CISA said in an advisory dated February 6, 2025.
The flaw affects the following versions -
- Cityworks (All versions prior to 15.8.9)
- Cityworks with office companion (All versions prior to 23.10)
While Trimble has released patches to address the security defect as of January 29, 2025, CISA has warned that it is being weaponized in real-world attacks.
The Colorado-headquartered company also noted that it has received reports of "unauthorized attempts to gain access to specific customers' Cityworks deployments."
Indicators of compromise (IoCs) released by Trimble show that the vulnerability is being exploited to drop a Rust-based loader that launches Cobalt Strike and a Go-based remote access tool named VShell, among other unidentified payloads.
It's currently not known who is behind the attacks, and what the end goal of the campaign is. Users running affected versions of the software are advised to update their instances to the latest version for optimal protection.
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
HighPath Traversal
InformationalCross Site Scripting (Persistent) - Spider
InformationalCookie Poisoning
InformationalInformation Disclosure - Suspicious Comments
Free online web security scanner