The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software has come under active exploitation in the wild.
The vulnerability in question is CVE-2025-0994 (CVSS v4 score: 8.6), a deserialization of untrusted data bug that could permit an attacker to conduct remote code execution.
“This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server,” CISA said in an advisory dated February 6, 2025.
The flaw affects the following versions –
- Cityworks (All versions prior to 15.8.9)
- Cityworks with office companion (All versions prior to 23.10)
While Trimble has released patches to address the security defect as of January 29, 2025, CISA has warned that it is being weaponized in real-world attacks.
The Colorado-headquartered company also noted that it has received reports of “unauthorized attempts to gain access to specific customers’ Cityworks deployments.”
Indicators of compromise (IoCs) released by Trimble show that the vulnerability is being exploited to drop a Rust-based loader that launches Cobalt Strike and a Go-based remote access tool named VShell, among other unidentified payloads.
It’s currently not known who is behind the attacks, and what the end goal of the campaign is. Users running affected versions of the software are advised to update their instances to the latest version for optimal protection.
Update
In a separate bulletin, CISA added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by February 28, 2025.
“CISA strongly encourages users and administrators to search for indicators of compromise (IOCs) and apply the necessary updates and workarounds,” the agency said.