CVE-2025-0994 Trimble Cityworks Deserialization

Read more about “CVE-2025-0994 Trimble Cityworks Deserialization Vulnerability” and the most important cybersecurity news to stay up to date with

CVE-2025-0994 is a critical security vulnerability identified in Trimble’s Cityworks software, a widely utilized GIS-centric asset management system by municipalities and utilities. This vulnerability has been actively exploited, necessitating immediate attention and remediation.

CVE-2025-0994 Description

The vulnerability arises from the deserialization of untrusted data within Cityworks. Deserialization is the process of reconstructing objects from data formats like JSON or XML. If this process is not securely implemented, it can lead to the execution of arbitrary code. In CVE-2025-0994, an authenticated attacker can exploit this flaw to perform remote code execution (RCE) on a customer’s Microsoft Internet Information Services (IIS) web server hosting Cityworks.

nvd.nist.gov

Affected Versions

The following versions of Cityworks are vulnerable:

Cityworks Server AMS: Versions prior to 15.8.9
Cityworks with Office Companion: Versions prior to 23.10

Organizations using these versions should assess their deployments promptly.

nvd.nist.gov

Mitigation and Remediation

To mitigate the risks associated with CVE-2025-0994, organizations should:

Update Software: Upgrade to Cityworks Server AMS version 15.8.9 or later, and Cityworks with Office Companion version 23.10 or later. These updates address the deserialization vulnerability.
nvd.nist.gov
Review IIS Permissions: Ensure that IIS permissions are appropriately configured to minimize potential exploitation. Overprivileged permissions can exacerbate the impact of this vulnerability.
cisa.gov
Monitor for Indicators of Compromise (IoCs): Be vigilant for signs of exploitation, such as unexpected processes or unusual network activity. Trimble has provided IoCs to assist in identifying potential breaches.
cisa.gov

Impact of Successful Exploitation

If successfully exploited, CVE-2025-0994 allows an attacker to execute arbitrary code on the IIS web server hosting Cityworks. This can lead to:

Complete system compromise
Unauthorized access to sensitive data
Deployment of additional malware
Disruption of critical services managed by Cityworks

Given that Cityworks is often used by public utilities and municipalities, the consequences of such exploitation can be severe, potentially affecting public services and infrastructure.

cisa.gov

Proof of Concept

A proof of concept (PoC) for CVE-2025-0994 has been developed and shared within the cybersecurity community. The PoC demonstrates how the deserialization vulnerability can be exploited to achieve remote code execution. Security researchers and administrators can refer to this PoC to understand the mechanics of the exploit and to test their systems for susceptibility.

github.com

In conclusion, CVE-2025-0994 represents a significant security risk for organizations utilizing vulnerable versions of Cityworks. Immediate action is essential to mitigate potential threats and safeguard critical infrastructure.

Learn more about WNE Security products and services that can help keep you cyber safe.

Learn about CVE-2025-0994 Trimble Cityworks Deserialization Vulnerability and other vulnerabilities and best practices by subscribing to our newsletter.

Subscribe to WNE Security’s newsletter for the latest cybersecurity best practices, 0-days, and breaking news. Or learn more about “CVE-2025-0994 Trimble Cityworks Deserialization Vulnerability”