πŸ”΄ CVE-2025-0994

Trimble Cityworks contains a deserialization vulnerability allowing authenticated remote code execution against IIS web servers. CISA reports active exploitation of this vulnerability in the wild.

← Back to Overview
HIGH_RISK
Risk Level
8.6
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-02-06

Added to CISA KEV: 2025-02-07 1 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-06-04)

CVE-2025-0994 is a high-severity deserialization vulnerability affecting Trimble Cityworks software, which has been confirmed as being actively exploited in the wild [1] [2].

Vulnerability Overview
  • Nature of Vulnerability: Deserialization vulnerability [1].
  • Impact: Successful exploitation allows an authenticated attacker to perform Remote Code Execution (RCE) against the customer's Microsoft Internet Information Services (IIS) web server [1] [5].
  • Severity: CVSS v4 base score of 8.6 [5].
Exploitation and Threat Activity
  • Active Exploitation: The vulnerability has been observed being exploited in the wild and was added to the CISA Known Exploited Vulnerabilities (KEV) catalog [4] [6].
  • Threat Actor Usage: Attackers have been observed deploying various malicious tools following exploitation, including Rust-based malware, Cobalt Strike, and VShell [2].
  • Requirements: Exploitation requires the attacker to be authenticated [1]. It is a network-based attack against the web server [5].
  • Proof-of-Concept/Tools: While full exploit code may not be widely public, detection methods (such as Nuclei templates) exist to identify vulnerable instances [3].
Affected Products and Mitigation
ProductAffected VersionsPatched Version
Trimble CityworksPrior to 15.8.915.8.9 or later
Cityworks with Office CompanionPrior to 23.1023.10 or later
  • Status: Users are strongly advised to update to the patched versions immediately to mitigate the risk of RCE [1] [5].

Sources

  1. CVE-2025-0994 Detail - NVD

    Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. ... CVE-2025-0994 is a high severity vulnerability that affects Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion ver…

  2. CISA Warns of Active Exploits Targeting Trimble Cityworks Vulnerability

    CISA warns of active attacks exploiting Trimble Cityworks CVE-2025-0994 (CVSS 8.6). Hackers deploy Rust-based malware, Cobalt Strike, and VShell.

  3. rxerium/CVE-2025-0994 - GitHub

    This Nuclei template extracts the version stored in the HTML body and based on the version we can determine whether the instance is vulnerable to CVE-2025-0994 ... CVE-2025-0994 How does this detection method work? This Nuclei template extracts the version stored in the HTML body and based on the ve…

  4. A Vulnerability in Trimble Cityworks Could Allow for Remote Code Execution

    CISA reports CVE-2025-0994 has been exploited in the wild and affects Trimble Cityworks and Cityworks with office companion. The vulnerability is a deserialization issue that could allow an authenticated user to perform a remote code execution attack against a customer's web server.

  5. Trimble Cityworks (Update A) - CISA

    Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS…

  6. Trimble Cityworks Vulnerability [CVE-2025-0994] added to CISA KEV

    Trimble Cityworks Vulnerability [CVE-2025-0994] added to CISA KEV - 108 devices observed exposing a vulnerable version.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed