Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
Trimble Cityworks is a Geographic Information System (GIS)-centric asset management and work order management software designed primarily for local governments, utilities, and public works organizations.
The product helps municipalities and infrastructure agencies manage public assets, process work orders, handle permitting and licensing, capital planning, and budgeting, among other things.
The flaw, tracked as CVE-2025-0994, is a high severity (CVSS v4.0 score: 8.6) deserialization problem that allows authenticated users to perform RCE attacks against a customer’s Microsoft Internet Information Services (IIS) servers.
Trimble states that it has investigated customer reports about hackers gaining unauthorized access to customer networks by leveraging the flaw, indicating that exploitation is underway.
Exploiting to breach networks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a coordinated advisory warning customers to immediately secure their networks from attacks.
The CVE-2025-0994 flaw impacts Cityworks versions prior to 15.8.9 and Cityworks with office companion versions before 23.10.
The latest versions, 15.8.9 and 23.10, were made available on January 28 and 29, 2025, respectively.
Administrators managing on-premise deployments must apply the security update as soon as possible, while cloud-hosted instances (CWOL) will receive the updates automatically.
Trimble says it has discovered that some on-premises deployments may have overprivileged IIS identity permissions, warning that these should not run with local or domain-level administrative privileges.
Moreover, some deployments have incorrect attachment directory configurations. The vendor recommends restricting attachment root folders to contain only attachments.
After completing all three actions, customers may resume normal operations with Cityworks.
While CISA has not shared how the flaw is being exploited, Trimble has released indicators of compromise for attacks seen exploiting the vulnerability.
These IOCs indicate that the threat actors deployed a variety of tools for remote access, including WinPutty and Cobalt Strike beacons.
Microsoft also warned yesterday that threat actors are breaching IIS servers to deploy malware in ViewState code injection attacks using ASP. NET machine keys exposed online.
