US-based construction, geospatial and transportation technology solutions provider Trimble has warned customers of its Cityworks product about a vulnerability that has been exploited in the wild.
The zero-day, tracked as CVE-2025-0994 and classified as ‘high severity’, has been described as a deserialization issue that allows an external threat actor to achieve remote code execution against the target’s Microsoft Internet Information Services (IIS) web server.
Trimble Cityworks is a GIS-centric solution that organizations such as local governments, airports, utilities, and public works agencies can use to manage and maintain infrastructure. The product has been used by organizations worldwide.
The cybersecurity agency CISA has published an industrial control systems (ICS) advisory for CVE-2025-0994, likely due to its use in the industrial sector, but noted that the “Cityworks software is incapable of controlling industrial processes, and is not directly part of an ICS”.
CISA’s advisory also reveals that authentication is required to exploit the vulnerability.
Based on the indicators of compromise (IoCs) made available by Trimble, the threat actors exploiting the Cityworks zero-day have delivered Cobalt Strike and several unidentified pieces of malware in post-exploitation activity.
Save the date: 2025 ICS Cyber Security Conference – October 27-30, Atlanta
It’s unclear who is behind the attacks and what types of entities have been targeted. However, Trimble received reports of “unauthorized attempts to gain access to specific customers’ Cityworks deployments”. In addition, given the types of organizations Cityworks is designed for, the zero-day has likely been exploited in targeted attacks.
The vendor pointed out that some on-premises deployments have overprivileged IIS permissions. In addition, some deployments have inappropriate attachment directory configurations. Customers have been urged to address these issues.
Trimble has patched CVE-2025-0994 with the release of Cityworks 15.8.9 and 23.10 (with office companion). Previous versions of the software are affected.
Related: Cyber Insights 2025: OT Security
Related: Rockwell Patches Critical, High-Severity Vulnerabilities in Several Products
Related: Building Automation Protocols Increasingly Targeted in OT Attacks
Related: Researcher Says ABB Building Control Products Affected by 1,000 Vulnerabilities
