Chinese-speaking hackers exploited a zero-day vulnerability in Trimble Cityworks GIS software to access U.S. local government networks. They deployed sophisticated malware, including Cobalt Strike and web shells, to maintain persistent access and pivot to utility management systems. #CVE2025-0994 #UAT-6382
Keypoints
- The attackers targeted Trimble Cityworks, a widely used asset management platform for local governments in the U.S.
- They exploited a high-severity deserialization flaw (CVE-2025-0994) in Microsoft IIS servers to gain access.
- The hacking group, UAT-6382, used a Rust-based malware loader to deploy Cobalt Strike beacons and VSHell malware.
- Web shells with messages in Chinese were used for backdoor access, indicating Chinese-language tools and communications.
- Federal agencies were urgently advised to patch the vulnerability to prevent further exploitation and protect critical infrastructure.