AI description
CVE-2025-0994 is a deserialization vulnerability affecting Trimble Cityworks software versions prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10. This vulnerability allows authenticated users to potentially execute remote code on a customer's Microsoft Internet Information Services (IIS) web server where Cityworks is hosted. Exploitation of this vulnerability has been observed in the wild, with attackers reportedly deploying malware such as Cobalt Strike. While Cityworks is used in various sectors, including those managing critical infrastructure, it does not directly control industrial processes.
- Description
- Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.
- Source
- ics-cert@hq.dhs.gov
- NVD status
- Analyzed
- Products
- cityworks
CVSS 4.0
- Type
- Secondary
- Base score
- 8.6
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- Trimble Cityworks Deserialization Vulnerability
- Exploit added on
- Feb 7, 2025
- Exploit action due
- Feb 28, 2025
- Required action
- Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
- ics-cert@hq.dhs.gov
- CWE-502
- Hype score
- Not currently trending
New IOC Alert → UAT-7237 targets Taiwanese web hosting infrastructure. ■ Indicator: CVE-2025-0994
@CTI131
17 Sept 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
10 Aug 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Chinese-speaking threat actor UAT-6382 is exploiting a Cityworks zero-day (CVE-2025-0994) to target US local govt networks. Per @TalosSecurity, the attackers have been active since January 2025. #CyberSecurity #ZeroDay #CVE20250994 #InfoSec #ChinaCyber https://t.co/ooghneyaXf
@PolySwarm
30 May 2025
573 Impressions
10 Retweets
25 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
28 May 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
28 May 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-0994 : Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. https://t.co/heMo1kwY7r
@freedomhack101
27 May 2025
72 Impressions
0 Retweets
1 Like
0 Bookmarks
2 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
27 May 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
26 May 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 CISA warns: CVE-2025-0994 exploited by Chinese hackers in attacks on U.S. infrastructure via Trimble Cityworks. Targeted utilities, used persistent malware. Patch issued in Feb—don’t delay! #CISA #Darkweb #Deepweb Breaking news from the world & Darkweb: https://t.co/
@Remzunlock0
25 May 2025
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Vulnérabilité CVE-2025-0994 dans Cityworks exploitée via TetraLoader par le groupe UAT-6382. 🕵️ Découverte d’une campagne d’exploitation zero-day : UAT-6382 https://t.co/SU9UCQY1Fq
@NicolasCoolman
25 May 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
25 May 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 CISA warns: CVE-2025-0994 exploited by Chinese hackers in attacks on U.S. infrastructure via Trimble Cityworks. Targeted utilities, used persistent malware. Patch issued in Feb—don’t delay! #CISA #Darkweb #Deepweb Breaking news from the world & Darkweb: https://t.co/
@godeepweb
24 May 2025
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
中国のハッカーが米国地方政府への攻撃でCityworksゼロデイを悪用(CVE-2025-0994) https://t.co/a6TU0AuKjO #Security #セキュリティ #ニュース
@SecureShield_
24 May 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A Chinese-speaking threat actor, tracked as UAT-6382, has breached U.S. local government systems by exploiting CVE-2025-0994, a critical deserialization vulnerability in Trimble Cityworks, a widely used GIS-centric asset management platform. The attackers leveraged authenticated
@cytexsmb
23 May 2025
53 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
1 Quote
🐉 Chinese Hackers Exploit Cityworks Zero-Day U.S. local govs hit by CVE-2025-0994—Rust malware, Cobalt Strike, and web shells used for deep access. Patch now or risk breach. https://t.co/7nhu78jXJu #CyberAttack #APT #Infosec #CISA https://t.co/vgJX58tRih
@dCypherIO
23 May 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
23 May 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 Chinese-speaking APT group #UAT6382 exploits #Cityworks zero-day (CVE-2025-0994). 🎯 Tactics: obfuscated scripts, DLL side-loading, registry persistence. 📌 Target: public sector entities. 🔗 Details: https://t.co/EWEIC37hsb
@Damag3dRoot
23 May 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
22 May 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Cisco Talos has identified exploitation of CVE-2025-0994, a remote-code-execution vulnerability in Cityworks, by a Chinese-speaking threat actor group dubbed UAT-6382. https://t.co/RhpU9LvGXc
@securityRSS
22 May 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Chinese hackers exploited a zero-day in Trimble Cityworks GIS, deploying Cobalt Strike and web shells to access US local government networks via CVE-2025-0994. 🚨🇺🇸 #CyberAttack #China #GovSecurity https://t.co/RZMW7cGCxr
@TweetThreatNews
22 May 2025
33 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
UAT-6382: attacco zero-day contro Cityworks e nuove backdoor Rust-based Sicurezza Informatica, backdoor, beacon, Cisco Talos, Cityworks, Cityworks RCE, Cobalt Strike, CVE-2025-0994, exploit, guerra cibernetica, MaLoader, malware, Rust, TetraLoader, UAT-6… https://t.co/9LTzvqBA0
@matricedigitale
22 May 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Cisco Talos reports that the UAT-6382 group is exploiting a Cityworks zero-day vulnerability (CVE-2025-0994) to deploy malware, including Rust-based loaders and web shells, primarily targeting U.S. local government networks. #CyberSecurity https://t.co/VBmMzfSRLB
@Cyber_O51NT
22 May 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical 0-Day: Cityworks Flaw Actively Exploited by Chinese APT UAT-6382 A China-linked APT, UAT-6382, is actively exploiting a zero-day (CVE-2025-0994) in Cityworks to gain RCE and persistent access to government and utility systems. https://t.co/hiYeR6T9af
@the_yellow_fall
22 May 2025
359 Impressions
3 Retweets
5 Likes
1 Bookmark
0 Replies
0 Quotes
🚨🚨 Heads up! Microsoft has identified a high-severity vulnerability (CVE-2025-0994) in https://t.co/3E22obHh01 Web Forms that could allow remote code execution! 💻⚠️ Don't wait—patch it ASAP to safeguard against potential attacks! Stay secure! 🔒✨ #CyberSecurity #Microsoft
@georgemcbride
19 Apr 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#Vulnerability #Cityworks CVE-2025-0994: Critical Vulnerability in Trimble Cityworks Exploited in the Wild https://t.co/9CRSBAeq2Y
@Komodosec
9 Mar 2025
42 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
4 Mar 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Hey, heads up! Hackers are actively exploiting a Cityworks vulnerability (CVE-2025-0994). They could gain access to sensitive gov data! Patch NOW! https://t.co/0hzuiHHhtT
@storagetechnews
4 Mar 2025
10 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
1 Mar 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
27 Feb 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
25 Feb 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
25 Feb 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
A recent report from the @CISAgov (CISA) warns of a critical vulnerability in Trimble Cityworks that has been exploited by hackers to conduct remote code execution (RCE) attacks. The vulnerability, tracked as CVE-2025-0994, allows attackers to gain unauthorized access to systems
@bytagig
22 Feb 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
22 Feb 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
21 Feb 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
#threatreport #MediumCompleteness Trimble Cityworks: CVE-2025-0994 | 19-02-2025 Source: https://t.co/xzXeR2J67V Key details below ↓ 💀Threats: Cobalt_strike, Vshell, Putty_tool, 🎯Victims: Local governments, Utilities 🏭Industry: Critical_infrastructure, Transport,… https://t.
@rst_cloud
20 Feb 2025
51 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
19 Feb 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
19 Feb 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CISA warns of active exploitation in Trimble Cityworks software. Protect against CVE-2025-0994. Stay informed. URL: https://t.co/F5J30LoSTZ
@threatlight
18 Feb 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
18 Feb 2025
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
17 Feb 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
16 Feb 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
15 Feb 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
15 Feb 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
13 Feb 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Unpacking the Cityworks RCE Bug: A Deep Dive into CVE-2025-0994 https://t.co/pxNVhY8FFa #cve20250994 #cityworks #rce #cybersecurity #infosec #vulnerability #microsoftiis #criticalinfrastructure #cyberthreats #patchmanagement
@DefendOpsHQ
11 Feb 2025
26 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 CISA warns of active exploitation in Trimble Cityworks GIS software, with a high-severity vulnerability (CVE-2025-0994, CVSS 8.6) being weaponized in the wild. If left unpatched, attackers could gain unauthorized access and deploy harmful payloads like Cobalt Strike and… http
@achi_tech
11 Feb 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Hackers Exploiting Cityworks RCE Vulnerability (CVE-2025-0994)! Attackers use deserialization flaws to execute commands on Microsoft IIS servers, deploying Cobalt Strike for access. Affects Cityworks versions <15.8.9 & <23.10. Update & secure configurations ASAP
@dCypherIO
11 Feb 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 La CISA alerta sobre la vulnerabilidad CVE-2025-0994 en Trimble Cityworks que permite ejecución remota de código. ¡Las organizaciones deben aplicar parches ya! Protege tu infraestructura crítica. Más info: https://t.co/H7XGM21JW9 #Ciberseguridad #Vulnerabilidad
@SotyHub
10 Feb 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Kritieke kwetsbaarheid in trimble cityworks: wat u moet weten https://t.co/qmThsX5THv #CVE-2025-0994 #Trimble Cityworks #Deserialisatie Kwetsbaarheid #Remote Code Execution #Microsoft IIS Webserver #Trending #Tech #Nieuws
@TrendingNewsBot
10 Feb 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
10 Feb 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:trimble:cityworks:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "97280FE5-5F66-4B2B-88B0-6F6E671FF90A",
"versionEndExcluding": "15.8.9"
},
{
"criteria": "cpe:2.3:a:trimble:cityworks:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E611E790-43D6-457E-8C82-E5CB157F14E3",
"versionEndExcluding": "23.10",
"versionStartIncluding": "23.0"
}
],
"operator": "OR"
}
]
}
]