Software program vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute instructions on IIS servers and deploy Cobalt Strike beacons for preliminary community entry.
Trimble Cityworks is a Geographic Info System (GIS)-centric asset administration and work order administration software program designed primarily for native governments, utilities, and public works organizations.
The product helps municipalities and infrastructure companies handle public belongings, course of work orders, deal with allowing and licensing, capital planning, and budgeting, amongst different issues.
The flaw, tracked as CVE-2025-0994, is a excessive severity (CVSS v4.0 rating: 8.6) deserialization downside that enables authenticated customers to carry out RCE assaults towards a buyer’s Microsoft Web Info Providers (IIS) servers.
Trimble states that it has investigated buyer experiences about hackers gaining unauthorized entry to buyer networks by leveraging the flaw, indicating that exploitation is underway.
Exploiting to breach networks
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has launched a coordinated advisory warning clients to instantly safe their networks from assaults.
The CVE-2025-0994 flaw impacts Cityworks variations prior to fifteen.8.9 and Cityworks with workplace companion variations earlier than 23.10.
The most recent variations, 15.8.9 and 23.10, had been made accessible on January 28 and 29, 2025, respectively.
Directors managing on-premise deployments should apply the safety replace as quickly as attainable, whereas cloud-hosted situations (CWOL) will obtain the updates routinely.
Trimble says it has found that some on-premises deployments might have overprivileged IIS id permissions, warning that these shouldn’t run with native or domain-level administrative privileges.
Furthermore, some deployments have incorrect attachment listing configurations. The seller recommends limiting attachment root folders to include solely attachments.
After finishing all three actions, clients might resume regular operations with Cityworks.
Whereas CISA has not shared how the flaw is being exploited, Trimble has launched indicators of compromise for assaults seen exploiting the vulnerability.
These IOCs point out that the menace actors deployed a wide range of instruments for distant entry, together with WinPutty and Cobalt Strike beacons.
Microsoft additionally warned yesterday that menace actors are breaching IIS servers to deploy malware in ViewState code injection assaults utilizing ASP. NET machine keys uncovered on-line.