CVE-2025-0994

Name of the Vulnerable Software and Affected Versions Trimble Cityworks versions prior to 15.8.9 Trimble Cityworks with office companion versions prior to 23.10

Description A deserialization vulnerability could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server. This issue is being actively exploited, and it poses a significant risk to municipalities and infrastructure agencies that use Trimble Cityworks to manage public assets. The vulnerability allows attackers to gain unauthorized access and deploy harmful payloads like Cobalt Strike and VShell.

Recommendations Trimble Cityworks versions prior to 15.8.9: Update to version 15.8.9 or later to fix the deserialization vulnerability. Trimble Cityworks with office companion versions prior to 23.10: Update to version 23.10 or later to fix the deserialization vulnerability. As a temporary workaround, consider restricting access to the vulnerable Cityworks software until a patch is applied.