Skip to content

Exploitation of Trimble Cityworks Vulnerability: Urgent Patch Required

A critical vulnerability in Trimble's Cityworks platform, widely used by local governments and public agencies, is being actively exploited by hackers. This flaw, identified as CVE-2025-0994, allows remote code execution on Microsoft IIS web servers, posing significant risks to infrastructure management systems. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal civilian agencies to patch this vulnerability by February 28, highlighting the urgency of the situation.

The vulnerability arises from a deserialization issue that enables unauthorized access and the deployment of malicious payloads. Trimble has confirmed attempts to exploit this flaw, particularly in on-premises installations with over-privileged IIS identity permissions and misconfigured attachment directories. Attackers are leveraging obfuscated JavaScript payloads and Rust-based malware loaders to maintain persistence on compromised servers.

CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, urging immediate action to install security updates and review systems for indicators of compromise. The advisory includes specific indicators such as SHA256 hashes of malicious files and Cobalt Strike command-and-control domains, which are crucial for identifying potential breaches.

Threats and Vulnerabilities 

The Trimble Cityworks vulnerability (CVE-2025-0994) is a critical deserialization flaw that allows remote code execution on Microsoft IIS web servers. This vulnerability is particularly concerning for local governments, utilities, airports, and public works agencies that rely on Cityworks for infrastructure management. Exploitation of this flaw can lead to unauthorized access and control over critical systems, potentially disrupting essential services.

Hackers are actively exploiting this vulnerability using obfuscated JavaScript payloads and Rust-based malware loaders. These techniques enable attackers to maintain persistence on compromised servers, making detection and remediation more challenging. The use of Cobalt Strike command-and-control domains further complicates the threat landscape, as it allows attackers to coordinate and execute complex attacks.

The impact of this vulnerability is significant, with potential consequences including operational disruptions, data breaches, and financial losses. The exploitation of over-privileged IIS identity permissions and misconfigured attachment directories exacerbates the risk, highlighting the need for immediate corrective actions.

Client Impact

Clients using Trimble's Cityworks platform may face severe operational disruptions if the identified vulnerability is exploited. Unauthorized access could lead to data breaches, compromising sensitive information and potentially resulting in financial losses. The reputational damage from such incidents could be substantial, affecting public trust and stakeholder confidence.

From a compliance perspective, failure to address this vulnerability could lead to regulatory challenges. Organizations may face audits or penalties if they do not take appropriate measures to secure their systems against known threats. Ensuring compliance with relevant cybersecurity standards is crucial to mitigate these risks and maintain operational integrity.

Mitigations 

To mitigate the risks associated with the Trimble Cityworks vulnerability, clients should take the following actions:

  1. Apply the latest patches for Cityworks versions 15.x (15.8.9) and 23.x (23.10), released on January 28 and 29, respectively.
  2. Review IIS identity permissions to confirm they do not have domain or local administrative privileges.
  3. Restrict access to attachment directories to prevent unauthorized modifications.
  4. Monitor systems for indicators of compromise, including SHA256 hashes of malicious files and Cobalt Strike command-and-control domains.
  5. Implement network segmentation to limit the spread of potential attacks within your infrastructure.

Taking these steps will help reduce the risk of exploitation and protect critical infrastructure systems from unauthorized access. Continuous monitoring and timely application of security updates are essential components of a robust cybersecurity strategy.

1898 & Co. Response

1898 & Co is actively addressing the current threat landscape by offering specialized services to help clients secure their infrastructure against emerging threats like the Trimble Cityworks vulnerability. Our team provides tailored solutions that include vulnerability assessments, patch management strategies, and incident response planning to enhance your organization's security posture.

We are updating our security protocols to incorporate the latest threat intelligence and best practices for mitigating risks associated with remote code execution vulnerabilities. Our collaborative efforts with industry allies and government agencies ensure that we remain at the forefront of cybersecurity developments, providing our clients with timely and effective solutions.

Our ongoing research into threat vectors such as obfuscated payloads and malware loaders enables us to offer cutting-edge defenses against sophisticated attacks. By leveraging our expertise and resources, clients can confidently navigate the evolving cybersecurity landscape and protect their critical assets from potential threats.

Sources

  1. CISA Advisory on Trimble Cityworks Vulnerability

  2. Trimble Security Bulletin on CVE-2025-0994

  3. Overview of Cobalt Strike Command-and-Control Techniques

  4. Best Practices for Securing Microsoft IIS Web Servers