- Description
- Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.
- Source
- ics-cert@hq.dhs.gov
- NVD status
- Analyzed
- Products
- cityworks
CVSS 4.0
- Type
- Secondary
- Base score
- 8.6
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- Trimble Cityworks Deserialization Vulnerability
- Exploit added on
- Feb 7, 2025
- Exploit action due
- Feb 28, 2025
- Required action
- Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
- ics-cert@hq.dhs.gov
- CWE-502
- Hype score
- Not currently trending
New IOC Alert → UAT-7237 targets Taiwanese web hosting infrastructure. ■ Indicator: CVE-2025-0994
@CTI131
17 Sept 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
10 Aug 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Chinese-speaking threat actor UAT-6382 is exploiting a Cityworks zero-day (CVE-2025-0994) to target US local govt networks. Per @TalosSecurity, the attackers have been active since January 2025. #CyberSecurity #ZeroDay #CVE20250994 #InfoSec #ChinaCyber https://t.co/ooghneyaXf
@PolySwarm
30 May 2025
573 Impressions
10 Retweets
25 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
28 May 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
28 May 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-0994 : Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. https://t.co/heMo1kwY7r
@freedomhack101
27 May 2025
72 Impressions
0 Retweets
1 Like
0 Bookmarks
2 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
27 May 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
26 May 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 CISA warns: CVE-2025-0994 exploited by Chinese hackers in attacks on U.S. infrastructure via Trimble Cityworks. Targeted utilities, used persistent malware. Patch issued in Feb—don’t delay! #CISA #Darkweb #Deepweb Breaking news from the world & Darkweb: https://t.co/
@Remzunlock0
25 May 2025
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Vulnérabilité CVE-2025-0994 dans Cityworks exploitée via TetraLoader par le groupe UAT-6382. 🕵️ Découverte d’une campagne d’exploitation zero-day : UAT-6382 https://t.co/SU9UCQY1Fq
@NicolasCoolman
25 May 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
25 May 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 CISA warns: CVE-2025-0994 exploited by Chinese hackers in attacks on U.S. infrastructure via Trimble Cityworks. Targeted utilities, used persistent malware. Patch issued in Feb—don’t delay! #CISA #Darkweb #Deepweb Breaking news from the world & Darkweb: https://t.co/
@godeepweb
24 May 2025
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
中国のハッカーが米国地方政府への攻撃でCityworksゼロデイを悪用(CVE-2025-0994) https://t.co/a6TU0AuKjO #Security #セキュリティ #ニュース
@SecureShield_
24 May 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A Chinese-speaking threat actor, tracked as UAT-6382, has breached U.S. local government systems by exploiting CVE-2025-0994, a critical deserialization vulnerability in Trimble Cityworks, a widely used GIS-centric asset management platform. The attackers leveraged authenticated
@cytexsmb
23 May 2025
53 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
1 Quote
🐉 Chinese Hackers Exploit Cityworks Zero-Day U.S. local govs hit by CVE-2025-0994—Rust malware, Cobalt Strike, and web shells used for deep access. Patch now or risk breach. https://t.co/7nhu78jXJu #CyberAttack #APT #Infosec #CISA https://t.co/vgJX58tRih
@dCypherIO
23 May 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
23 May 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 Chinese-speaking APT group #UAT6382 exploits #Cityworks zero-day (CVE-2025-0994). 🎯 Tactics: obfuscated scripts, DLL side-loading, registry persistence. 📌 Target: public sector entities. 🔗 Details: https://t.co/EWEIC37hsb
@Damag3dRoot
23 May 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
22 May 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Cisco Talos has identified exploitation of CVE-2025-0994, a remote-code-execution vulnerability in Cityworks, by a Chinese-speaking threat actor group dubbed UAT-6382. https://t.co/RhpU9LvGXc
@securityRSS
22 May 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Chinese hackers exploited a zero-day in Trimble Cityworks GIS, deploying Cobalt Strike and web shells to access US local government networks via CVE-2025-0994. 🚨🇺🇸 #CyberAttack #China #GovSecurity https://t.co/RZMW7cGCxr
@TweetThreatNews
22 May 2025
33 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
UAT-6382: attacco zero-day contro Cityworks e nuove backdoor Rust-based Sicurezza Informatica, backdoor, beacon, Cisco Talos, Cityworks, Cityworks RCE, Cobalt Strike, CVE-2025-0994, exploit, guerra cibernetica, MaLoader, malware, Rust, TetraLoader, UAT-6… https://t.co/9LTzvqBA0
@matricedigitale
22 May 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Cisco Talos reports that the UAT-6382 group is exploiting a Cityworks zero-day vulnerability (CVE-2025-0994) to deploy malware, including Rust-based loaders and web shells, primarily targeting U.S. local government networks. #CyberSecurity https://t.co/VBmMzfSRLB
@Cyber_O51NT
22 May 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical 0-Day: Cityworks Flaw Actively Exploited by Chinese APT UAT-6382 A China-linked APT, UAT-6382, is actively exploiting a zero-day (CVE-2025-0994) in Cityworks to gain RCE and persistent access to government and utility systems. https://t.co/hiYeR6T9af
@the_yellow_fall
22 May 2025
359 Impressions
3 Retweets
5 Likes
1 Bookmark
0 Replies
0 Quotes
🚨🚨 Heads up! Microsoft has identified a high-severity vulnerability (CVE-2025-0994) in https://t.co/3E22obHh01 Web Forms that could allow remote code execution! 💻⚠️ Don't wait—patch it ASAP to safeguard against potential attacks! Stay secure! 🔒✨ #CyberSecurity #Microsoft
@georgemcbride
19 Apr 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#Vulnerability #Cityworks CVE-2025-0994: Critical Vulnerability in Trimble Cityworks Exploited in the Wild https://t.co/9CRSBAeq2Y
@Komodosec
9 Mar 2025
42 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
4 Mar 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Hey, heads up! Hackers are actively exploiting a Cityworks vulnerability (CVE-2025-0994). They could gain access to sensitive gov data! Patch NOW! https://t.co/0hzuiHHhtT
@storagetechnews
4 Mar 2025
10 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
1 Mar 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
27 Feb 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
25 Feb 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
25 Feb 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
A recent report from the @CISAgov (CISA) warns of a critical vulnerability in Trimble Cityworks that has been exploited by hackers to conduct remote code execution (RCE) attacks. The vulnerability, tracked as CVE-2025-0994, allows attackers to gain unauthorized access to systems
@bytagig
22 Feb 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
22 Feb 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
21 Feb 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
#threatreport #MediumCompleteness Trimble Cityworks: CVE-2025-0994 | 19-02-2025 Source: https://t.co/xzXeR2J67V Key details below ↓ 💀Threats: Cobalt_strike, Vshell, Putty_tool, 🎯Victims: Local governments, Utilities 🏭Industry: Critical_infrastructure, Transport,… https://t.
@rst_cloud
20 Feb 2025
51 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
19 Feb 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
19 Feb 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CISA warns of active exploitation in Trimble Cityworks software. Protect against CVE-2025-0994. Stay informed. URL: https://t.co/F5J30LoSTZ
@threatlight
18 Feb 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
18 Feb 2025
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
17 Feb 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
16 Feb 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
15 Feb 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
15 Feb 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
13 Feb 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Unpacking the Cityworks RCE Bug: A Deep Dive into CVE-2025-0994 https://t.co/pxNVhY8FFa #cve20250994 #cityworks #rce #cybersecurity #infosec #vulnerability #microsoftiis #criticalinfrastructure #cyberthreats #patchmanagement
@DefendOpsHQ
11 Feb 2025
26 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 CISA warns of active exploitation in Trimble Cityworks GIS software, with a high-severity vulnerability (CVE-2025-0994, CVSS 8.6) being weaponized in the wild. If left unpatched, attackers could gain unauthorized access and deploy harmful payloads like Cobalt Strike and… http
@achi_tech
11 Feb 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Hackers Exploiting Cityworks RCE Vulnerability (CVE-2025-0994)! Attackers use deserialization flaws to execute commands on Microsoft IIS servers, deploying Cobalt Strike for access. Affects Cityworks versions <15.8.9 & <23.10. Update & secure configurations ASAP
@dCypherIO
11 Feb 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 La CISA alerta sobre la vulnerabilidad CVE-2025-0994 en Trimble Cityworks que permite ejecución remota de código. ¡Las organizaciones deben aplicar parches ya! Protege tu infraestructura crítica. Más info: https://t.co/H7XGM21JW9 #Ciberseguridad #Vulnerabilidad
@SotyHub
10 Feb 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Kritieke kwetsbaarheid in trimble cityworks: wat u moet weten https://t.co/qmThsX5THv #CVE-2025-0994 #Trimble Cityworks #Deserialisatie Kwetsbaarheid #Remote Code Execution #Microsoft IIS Webserver #Trending #Tech #Nieuws
@TrendingNewsBot
10 Feb 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0994
@transilienceai
10 Feb 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:trimble:cityworks:*:*:*:*:*:*:*:*",
"matchCriteriaId": "97280FE5-5F66-4B2B-88B0-6F6E671FF90A",
"versionEndExcluding": "15.8.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:trimble:cityworks:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E611E790-43D6-457E-8C82-E5CB157F14E3",
"versionEndExcluding": "23.10",
"versionStartIncluding": "23.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]