The Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of a critical vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerability, identified as CVE-2025-0994, affects Trimble Cityworks, a widely used software for asset management and geographic information system (GIS) applications. This issue, known as the Trimble Cityworks Deserialization vulnerability, poses cybersecurity risks, especially to federal enterprises, by allowing attackers to execute remote code on affected systems.
An Overview of CVE-2025-0994
The CVE-2025-0994 vulnerability exists in Trimble Cityworks versions prior to 15.8.9 and Cityworks with Office Companion versions earlier than 23.10. This deserialization vulnerability enables authenticated users to exploit the software and potentially execute remote code on a vulnerable system. Specifically, the flaw could allow attackers to compromise a customer’s Microsoft Internet Information Services (IIS) web server, leading to remote code execution (RCE) and potentially giving malicious actors full control over the server.
CISA has classified the severity of this vulnerability as High based on its CVSS score of 8.6. The flaw primarily affects the underlying deserialization of untrusted data, a common vector for many cyberattacks. As a result, CVE-2025-0994 has become a matter of concern for organizations relying on vulnerable versions of the software.
A Deserialization Attack: What Is at Stake?
Deserialization vulnerabilities, like CVE-2025-0994, occur when untrusted data is deserialized into an object that could allow attackers to inject malicious payloads into the application. If exploited, these vulnerabilities enable remote code execution, meaning that an attacker could run arbitrary commands on the affected system, potentially leading to severe security breaches.
In this case, Trimble Cityworks’ IIS web server may become a target. As IIS is a core component for hosting Cityworks deployments, any vulnerability in this service could jeopardize the confidentiality, integrity, and availability of critical data and services. This puts organizations at considerable risk, especially those in sectors where infrastructure management and GIS data are vital.
Trimble’s Response: Timely Patches
Following the discovery of the vulnerability, Trimble quickly addressed the issue. They released security updates for both Cityworks 15.x and Cityworks 23.x software versions. The updates, which were made available to users on January 28 and 29, 2025, respectively, provide fixes that mitigate the deserialization flaw and prevent remote code execution attacks.
Trimble also issued a communication urging on-premise customers to update to the new versions immediately. The company reassured customers that the updates would be applied automatically to Cityworks Online (CWOL) deployments, reducing the need for additional action by users.
Additionally, Trimble identified two other potential security concerns in their communication: overprivileged IIS identity permissions and improperly configured attachment directories. These issues were highlighted as further areas for improvement, with specific guidance provided for users to mitigate these risks.
The Role of CISA in Addressing Vulnerabilities
The inclusion of CVE-2025-0994 in the CISA Known Exploited Vulnerabilities Catalog emphasizes the increasing significance of cybersecurity in both the public and private sectors. By adding this vulnerability to the catalog, CISA aims to raise awareness and help organizations prioritize the patching of critical vulnerabilities that are actively being exploited by cybercriminals.
CISA’s catalog serves as an essential resource for federal agencies and other organizations looking to bolster their cybersecurity posture. The catalog is regularly updated with newly discovered vulnerabilities that pose significant threats to critical infrastructure, and CVE-2025-0994 is just one of the latest examples.
In this instance, CISA has made it clear that this vulnerability is of particular concern due to its active exploitation in the wild. Organizations are strongly advised to implement the available patches and take other necessary security precautions to protect their systems.
Conclusion
To mitigate the risks posed by CVE-2025-0994, Trimble Cityworks users must promptly apply the latest patches, ensuring they update to versions 15.8.9 and above for Cityworks 15.x and 23.10 and above for Cityworks with Office Companion. Additionally, it’s crucial to configure IIS identity permissions properly and address attachment directory settings to further enhance security. As these threats continues to target new victims, staying vigilant and addressing vulnerabilities like CVE-2025-0994 is important for protecting sensitive systems. Organizations must prioritize patching and security measures to protect their infrastructure from malicious exploitation.
