Trimble Cityworks Remote Code Execution Attack

What is the Attack?Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server, potentially resulting in downtime and potential loss of service. According to Trimble Cityworks website, it provides a Geographic Information System (GIS)-centric solution for local governments, utilities, airports, and public works agencies to manage and maintain infrastructure across the full lifecycle. Trimble has investigated customer reports of hackers exploiting the vulnerability to gain unauthorized access to networks, confirming that active exploitation is occurring. CISA has added CVE-2025-0994 to its Known Exploited Vulnerabilities Catalog on February 7, 2025, based on the evidence of active exploitation.What is the recommended Mitigation?•The CVE-2025-0994 flaw impacts Cityworks versions prior to 15.8.9 and Cityworks with office companion versions before 23.10. •Trimble has released updates addressing this deserialization flaw. Ensure these updates are applied to your systems.What FortiGuard Coverage is available?• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor’s advisory. • FortiGuard Labs has blocked all the known malware and related Indicators of Compromise (IOCs) noted on the campaign. • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.Read More