Trimble Cityworks: CVE-2025-0994: Active Exploitation
Essential information
- Published
- 20/02/2025 02:49
- Modified
- 20/02/2025 08:58
- Tags
- 2025-02-20 CVE-2025-0994 cobalt strike critical-infrastructure deserialization vulnerability iis web server remote code execution trimble cityworks vshell
- Related entities
- 1 vulnerabilities (cve), 16 observables, 10 techniques (mitre), 2 malware, 5 others
Description
A high-severity deserialization vulnerability in Trimble Cityworks, CVE-2025-0994, affects versions before 15.8.9 and Office Companion versions before 23.10. This flaw allows authenticated attackers to execute remote code on Microsoft IIS web servers. Exploitation indicators suggest the use of Rust-based loaders to deploy VShell and Cobalt Strike. Malicious files, including obfuscated JavaScript and executables, were likely downloaded from Cobalt Strike C2 servers. Shodan reveals 111 exposed Cityworks instances, with 21% vulnerable. The majority are in the US, including .gov domains. Organizations are urged to upgrade to patched versions immediately, as CISA has added this CVE to their Known Exploited Vulnerabilities Catalog.