Trimble Cityworks zero-day flaw under attack, patch now

Cityworks, an enterprise asset management product from industrial technology vendor Trimble, is under attack via a recent zero-day vulnerability that enables remote code execution.

The vulnerability, tracked as CVE-2025-0994, is a deserialization of untrusted data flaw present in all versions of the Cityworks EAM product prior to 15.8.9 as well as versions of Cityworks with Office Companion prior to 23.10. This vulnerability could, according to a CISA advisory published Thursday, "allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server."

CISA received reports of the vulnerability being actively exploited, according to the advisory. The agency added that "Cityworks software is incapable of controlling industrial processes, and is not directly part of an ICS."

Informa TechTarget asked CISA about the scope of exploitation, but the agency declined to comment.

Trimble published an advisory of its own that included indicators of compromise for the threat activity. The software vendor urged on-premises customers to install the updated 15.8.9 and 23.10 versions of Cityworks immediately -- Cityworks Online (CWOL) deployments receive updates automatically -- and offered two additional pieces of mitigation advice.

For the first, Trimble "observed that some on-premise deployments may have overprivileged Internet Information Services (IIS) identity permissions."

"For avoidance of doubt, and in accordance with our technical documentation, IIS should not be run with local or domain level administrative privileges on any site. Please refer to the direction in the latest release notes in the Cityworks Support Portal* for more information on how to update IIS identity permissions," the advisory read. "Our CWOL customers have their IIS identity permissions set appropriately and do not need to take this action."

For the second, Trimble said it observed some Cityworks deployments with inappropriate attachment directory configurations.

"Trimble recommends that attachment directory root configuration should be limited to folders/subfolders which only contain attachments," the advisory read. "Please refer to the direction in the latest release notes in the Cityworks Support Portal* for more information on how to ensure proper configuration of the attachment directory."

Once patches have been applied and mitigation advice has been followed, customers "can resume normal operation of Cityworks including use of Office Companion," Trimble said.

The CVE, which was also published Thursday, was assigned a CVSS version 3.1 base score of 7.2 and a CVSS version 4 score of 8.6. Trimble reported the flaw to CISA itself.

Piotr Kijewski, CEO of cybersecurity nonprofit Shadowserver Foundation, said in an email to Informa TechTarget that to his knowledge, there are only a few exposed instances of Cityworks -- with all in North America -- and that he was able to count five unpatched instances total.

Informa TechTarget asked Trimble about the scope of exploitation, but the company declined to comment on the matter. However, a spokesperson provided the following statement:

Trimble takes cybersecurity seriously and employs a proactive approach to managing any potential threats to our customer community. After receiving reports of third-party attempts to gain unauthorized access to certain Cityworks deployments, we took swift action to notify our customers of the issue and investigate any potential threats. In the course of the investigation, our internal security teams discovered a deserialization vulnerability within the Cityworks application that was promptly remediated through issuance of security patches for the affected versions. Furthermore, we provided additional recommendations in our latest customer communication to advise our on-premises customers on certain cybersecurity best practices. Trimble will remain vigilant to protect its customers' systems and data from any threats.

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.