External risk intelligence

Trimble Cityworks Remote Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2025-0994

A deserialization vulnerability in Trimble Cityworks allows an authenticated user to execute remote code on the web server. This impacts organizations using the affected software, potentially leading to unauthorized access and service disruptions. Organizations should identify affected systems and apply vendor updates.

4Halo Surface Signal

Deserialization

Trimble Cityworks

before 15.8.923.0 to before 23.10

External exposure likelihood

Halo Surface Signal score for CVE-2025-0994

Trimble Cityworks is a web-based application typically deployed on Microsoft IIS servers to facilitate organizational workflows. As a centralized web platform, it is commonly exposed as an internet-facing or externally reachable enterprise service to support remote access and distributed operations.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

Trimble Cityworks software contains a deserialization vulnerability that could permit an authenticated user to execute code remotely on a customer's Microsoft Internet Information Services (IIS) web server. This flaw is present in versions prior to 15.8.9, and in Cityworks with office companion versions prior to 23.10. The successful exploitation of this vulnerability could lead to a compromise of the affected web server.

  • Vulnerable: Trimble Cityworks
  • Flaw: Deserialization vulnerability
  • Impact: Remote code execution

Attack Path

How an attacker could exploit the issue

A deserialization vulnerability in Trimble Cityworks allows an authenticated user to execute arbitrary code on the underlying web server. This occurs when the affected software processes specifically crafted serialized data. Successful exploitation enables an attacker to gain control of the web server, potentially impacting data integrity and availability.

  • Exposure condition: Internet-facing web server.
  • Attacker starting point: Authenticated user.
  • Trigger and result: Trigger deserialization; gain remote control.

Live Threat

Current exploitation, exposure, and threat context

Trimble Cityworks is vulnerable to a deserialization flaw that enables authenticated users to execute remote code on an organization's web server. This vulnerability has been actively exploited in the wild, posing a significant risk to organizations that use this software, particularly those in critical infrastructure sectors. The exploitation could lead to unauthorized access to sensitive data, service disruptions, or a complete compromise of the affected web server.

  • Attackers with authenticated access.
  • Remotely, with low difficulty.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization utilizing Trimble Cityworks should address a deserialization vulnerability that could enable authenticated users to execute remote code on a Microsoft Internet Information Services (IIS) web server. This vulnerability poses a significant risk to affected systems and the data they manage. Organizations should prioritize immediate action to identify and mitigate this exposure.

  • Identify all instances of affected Trimble Cityworks.
  • Restrict access to or isolate exposed systems.
  • Apply vendor updates, verify remediation, and monitor systems.

Frequently asked questions

What is Trimble Cityworks and what is its role in asset management?

Trimble Cityworks is a web-based software designed to help organizations manage the lifecycle of public infrastructure assets. It utilizes GIS technology to assist with various functions, including permitting, licensing, construction, maintenance, and replacement processes.

What is the specific weakness in CVE-2025-0994 and how does it manifest?

CVE-2025-0994 involves a deserialization vulnerability where the software does not adequately validate untrusted serialized data before processing it. This weakness, categorized as CWE-502, allows for the execution of arbitrary code when the system deserializes malicious objects.

What are the prerequisites for an attacker to exploit CVE-2025-0994?

An attacker must first be authenticated to the Trimble Cityworks system. The exploit involves sending specially crafted serialized objects over the network to the Microsoft Internet Information Services (IIS) web server hosting the vulnerable application.

What is the potential impact of CVE-2025-0994 exploitation on affected systems?

Successful exploitation can lead to remote code execution (RCE) on the customer's Microsoft Internet Information Services (IIS) web server. This could allow an attacker to install programs, modify or delete data, and potentially compromise the entire system, especially if the user account has administrative privileges.

What steps should be taken to address CVE-2025-0994?

Organizations should immediately update Trimble Cityworks to version 15.8.9 or later, and Cityworks with Office Companion to version 23.10 or later. Other recommended actions include restricting network access to critical systems, validating and sanitizing all user input, enabling application whitelisting on IIS servers, and auditing IIS permissions to ensure the principle of least privilege is followed.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified