Date of Disclosure (source): February 6, 2025
Date Reported as Actively Exploited (source): February 7, 2025
CVE-2025-0994 is a deserialization vulnerability affecting Trimble Cityworks versions before 15.8.9 and Cityworks with office companion versions before 23.10. ICS-CERT assigned this vulnerability a CVSS score of 8.6 (high).
An unauthenticated user can exploit this vulnerability to perform remote code execution against a customer’s Microsoft Internet Information Services (IIS) web server, essentially allowing an attacker to take control of the backend server running Cityworks.
Local governments and utilities use Trimble Cityworks to manage infrastructure like water treatment plants, wastewater facilities, and public works. Successful exploitation of exposed devices may allow attackers to disrupt critical systems responsible for public infrastructure management.
This vulnerability is known to be actively exploited and was added to CISA’s catalog of Known Exploited Vulnerabilities (KEV) on February 7, 2025. CISA issued an advisory for CVE-2025-0994, urging organizations to apply the patch immediately.
| Field | Details | |||||
|---|---|---|---|---|---|---|
| CVE-ID | CVE-2025-0994 – CVSS 8.6 (High) – assigned by ICS-CERT | |||||
| Vulnerability Description | Trimble Cityworks versions before 15.8.9 and Cityworks with Office Companion versions before 23.10 are vulnerable to a deserialization flaw. This vulnerability allows an authenticated user to perform a remote code execution attack against a customer’s Microsoft IIS web server. | |||||
| Date of Disclosure | February 6, 2025 | |||||
| Affected Assets | Organizations using Trimble Cityworks or Cityworks with Office Companion, particularly those deploying the software on Microsoft IIS web servers. | |||||
| Vulnerable Software Versions | – Cityworks versions prior to 15.8.9
– Cityworks with Office Companion versions prior to 23.10 | |||||
| PoC Available? | We did not observe any public exploits available at the time of writing. | |||||
| Exploitation Status | This vulnerability has been actively exploited in the wild. CVE-2025-0994 was added to CISA KEV on February 7, 2025. | |||||
| Patch Status | Trimble has released security updates in their advisory addressing this vulnerability. Users are advised to update to Cityworks version 15.8.9 or later, and Cityworks with Office Companion version 23.10 or later. | |||||
Censys Perspective
At the time of writing, Censys observed 335 exposed Trimble Citywork instances. A large proportion of these (91%) are geolocated in the United States. Note that not all instances observed are necessarily vulnerable as we do not always have specific versions available.
Of the 335 exposed, 108 exposed a version that is vulnerable to CVE-2025-0994. See the table below for the top ten versions we saw most frequently:
| Version | Host Count |
|---|---|
| 15.8.8 | 15 |
| 15.8.3 | 11 |
| 15.8.6 | 11 |
| 15.8.7 | 11 |
| 15.7.7 | 8 |
| 15.8.2 | 8 |
| 15.7.5 | 6 |
| 15.6.3 | 5 |
| 15.8.4 | 5 |
| 15.2.3 | 4 |
Map of Vulnerable Trimble Cityworks Instances:
services.software: (vendor="Trimble" and product="Cityworks") and not labels: {honeypot, tarpit}
(host.services.software: (vendor:"Trimble" and product:"Cityworks") and not host.labels.value: {"HONEYPOT", "TARPIT"}) or (web.software: (vendor:"Trimble" and product:"Cityworks") and not web.labels.value: {"HONEYPOT", "TARPIT"})
(host.services.software: (vendor="Trimble" and product="Cityworks") or web_entity.instances.software: (vendor="Trimble" and product="Cityworks")) and not host.labels: {honeypot, tarpit}
risks.name = "Vulnerable Trimble Cityworks [CVE-2025-0994]"