Summary: Trimble is alerting users about a critical deserialization vulnerability (CVE-2025-0994) in Cityworks software, which allows hackers to remotely execute commands on IIS servers. The flaw has led to reports of unauthorized access to customer networks and exploitation is currently taking place. Customers are urged to update to the latest versions and secure their deployments promptly to mitigate risks.
Affected: Trimble Cityworks, Microsoft Internet Information Services (IIS) servers
Keypoints :
- High severity deserialization vulnerability allows RCE attacks against IIS servers.
- Impacting Cityworks versions prior to 15.8.9 and companion versions before 23.10.
- Administrators are advised to apply security updates immediately and restrict permissions.
- CISA has issued a warning and Trimble provided indicators of compromise for affected systems.
- Exploitation leads to deployment of malware tools including Cobalt Strike beacons.