Trimble’s Cityworks Zero-Day: A Comedy of Vulnerabilities and Overprivileged IIS Permissions

Trimble Cityworks has a high-severity vulnerability, CVE-2025-0994, allowing remote code execution via a deserialization issue. Though requiring authentication, threat actors have exploited it to deliver malware like Cobalt Strike. Trimble urges customers to update to version 15.8.9 or 23.10 to patch this zero-day vulnerability.

3P
Published: February 7, 2025 10:01 amAdded: February 7, 2025 at 2:08 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like Trimble’s Cityworks is in the spotlight for all the wrong reasons! Who knew an innocent-sounding “deserialization issue” could wreak such havoc? Maybe it’s time for Cityworks to take a city-wide vacation until this mess is sorted out. Because when a zero-day vulnerability parties like it’s 2025, things get wild—literally!

Key Points:

  • Trimble’s Cityworks suffers from a critical zero-day vulnerability (CVE-2025-0994).
  • The flaw permits remote code execution on Microsoft’s IIS web server.
  • CISA issued an advisory, although Cityworks doesn’t directly control industrial processes.
  • Exploitation requires authentication but has been linked to Cobalt Strike deployment.
  • Trimble released patches for Cityworks versions 15.8.9 and 23.10.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?