Zero-Day Zingers: Chinese Hackers Play ‘Capture the Flag’ with U.S. Cityworks
Cisco Talos warns of a zero-day vulnerability in Cityworks being exploited by the UAT-6382 group, suspected to be Chinese hackers. The flaw allows remote code execution, targeting U.S. local governments. Organizations must apply critical security patches immediately to thwart these comic-book-villain-level cyberattacks.
Hot Take:
Looks like Chinese hackers have decided to add “city planner” to their resume, diving into Cityworks with the enthusiasm of a kid in a candy store. Who knew urban management could be so thrilling? But seriously, Trimble Cityworks is the latest victim in the cyber world’s version of “Capture the Flag,” where the prize is your municipal data and the players are the UAT-6382 threat group. Talk about unfriendly neighborhood developers!
Key Points:
– Cisco Talos has flagged a zero-day vulnerability, CVE-2025-0994, being actively exploited by the UAT-6382 group.
– The vulnerability allows remote code execution on Cityworks, particularly affecting local US government agencies.
– Attackers use web shells like AntSword and Chopper, and tools such as TetraLoader to maintain access.
– The UAT-6382 group is suspected to be Chinese-speaking based on language clues in their tools.
– Cityworks has issued critical patches; users are advised to update immediately.