Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers
Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
Trimble Cityworks is a Geographic Information System (GIS)-centric asset management and work order management software designed primarily for local governments, utilities, and public works organizations.
The product helps municipalities and infrastructure agencies manage public assets, process work orders, handle permitting and licensing, capital planning, and budgeting, among other things.
The flaw, tracked as CVE-2025-0994, is a high severity (CVSS v4.0 score: 8.6) deserialization problem that allows authenticated users to perform RCE attacks against a customer's Microsoft Internet Information Services (IIS) servers.
Trimble states that it has investigated customer reports about hackers gaining unauthorized access to customer networks by leveraging the flaw, indicating that exploitation is underway.
Exploiting to breach networks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a coordinated advisory warning customers to immediately secure their networks from attacks.
The CVE-2025-0994 flaw impacts Cityworks versions prior to 15.8.9 and Cityworks with office companion versions before 23.10.
The latest versions, 15.8.9 and 23.10, were made available on January 28 and 29, 2025, respectively.
Administrators managing on-premise deployments must apply the security update as soon as possible, while cloud-hosted instances (CWOL) will receive the updates automatically.
Trimble says it has discovered that some on-premises deployments may have overprivileged IIS identity permissions, warning that these should not run with local or domain-level administrative privileges.
Moreover, some deployments have incorrect attachment directory configurations. The vendor recommends restricting attachment root folders to contain only attachments.
After completing all three actions, customers may resume normal operations with Cityworks.
While CISA has not shared how the flaw is being exploited, Trimble has released indicators of compromise for attacks seen exploiting the vulnerability.
These IOCs indicate that the threat actors deployed a variety of tools for remote access, including WinPutty and Cobalt Strike beacons.
Microsoft also warned yesterday that threat actors are breaching IIS servers to deploy malware in ViewState code injection attacks using ASP. NET machine keys exposed online.
DeepSeek App Transmits Sensitive User and Device Data Without Encryption
HPE notifies employees of data breach after Russian Office 365 hack
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalVerification Request Identified
InformationalRetrieved from Cache
MediumCSP: Wildcard Directive
Free online web security scanner
