CVE-2025-0994
📋 TL;DR
This vulnerability allows authenticated users to execute arbitrary code on Trimble Cityworks servers via deserialization attacks. It affects organizations running vulnerable versions of Cityworks or Cityworks with Office Companion on Microsoft IIS web servers. Attackers could gain full control of affected systems.
💻 Affected Systems
- Trimble Cityworks
- Trimble Cityworks with Office Companion
📦 What is this software?
Cityworks by Trimble
Cityworks by Trimble
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the IIS web server leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor installation.
Likely Case
Authenticated attackers executing malicious code to steal sensitive data, disrupt operations, or pivot to other systems in the network.
If Mitigated
Limited impact if proper network segmentation, least privilege authentication, and monitoring are in place, though risk remains until patched.
🎯 Exploit Status
Exploitation requires authenticated access; CISA has added this to its Known Exploited Vulnerabilities catalog indicating active exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Cityworks 15.8.9 or later; Cityworks with Office Companion 23.10 or later
Vendor Advisory: https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?
Restart Required: No
Instructions:
1. Download the latest version from Trimble support portal. 2. Backup current configuration and data. 3. Apply the update following Trimble's installation guide. 4. Verify successful installation and functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Cityworks servers from critical network segments and restrict inbound/outbound traffic to minimum required ports.
Authentication Hardening
allImplement strong password policies, multi-factor authentication, and monitor for suspicious login attempts.
🧯 If You Can't Patch
- Implement strict network access controls to limit which users/systems can reach the Cityworks web interface
- Deploy web application firewall (WAF) rules to detect and block deserialization attack patterns
🔍 How to Verify
Check if Vulnerable:
Check Cityworks version in administrative interface or application files; compare against affected versions.Check Version:
Check via Cityworks admin panel or review installation documentation for version location.Verify Fix Applied:
Confirm version is 15.8.9 or later for Cityworks, or 23.10 or later for Office Companion version.📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors in IIS logs
- Suspicious authentication attempts followed by unexpected process execution
Network Indicators:
- Anomalous outbound connections from Cityworks server
- Unexpected network traffic patterns to/from the server
SIEM Query:
source="IIS" AND (event_id=*deserialization* OR message="*Remote Code Execution*")