CISA Warns of Trimble Cityworks RCE Vulnerability Exploited to Hack IIS Servers
The CISA has issued a warning regarding a critical remote code execution (RCE) vulnerability affecting Trimble Cityworks, a popular software solution for local government and public works asset management. The vulnerability, identified as CVE-2025-0994, allows an external actor to exploit a deserialization flaw and execute arbitrary code on a customer’s Microsoft Internet Information Services (IIS) […] The post CISA Warns of Trimble Cityworks RCE Vulnerability Exploited to Hack IIS Servers appeared first on Cyber Security News.
The CISA has issued a warning regarding a critical remote code execution (RCE) vulnerability affecting Trimble Cityworks, a popular software solution for local government and public works asset management.
The vulnerability, identified as CVE-2025-0994, allows an external actor to exploit a deserialization flaw and execute arbitrary code on a customer’s Microsoft Internet Information Services (IIS) web server.
Trimble has released updated versions of Cityworks (15.8.9 and 23.10) to address the vulnerability. The company urges on-premise customers to install the updates immediately. The updates have been automatically applied to all Cityworks Online (CWOL) deployments.
RCE on Targeted IIS
The vulnerability stems from a deserialization flaw, which can be exploited to achieve remote code execution (RCE) on the targeted IIS web server.
Successful exploitation could allow attackers to gain unauthorized access to sensitive data, disrupt critical services, and potentially gain control over the affected systems.
In addition to applying the security updates, Trimble has advised customers to review and harden their IIS identity permissions. The company has observed that some on-premise deployments may have overprivileged IIS identity permissions.
For security best practices, IIS should not be run with local or domain-level administrative privileges. Detailed instructions on how to update IIS identity permissions can be found in the latest release notes in the Cityworks Support Portal.
CWOL customers do not need to take this action, as their IIS identity permissions are already appropriately configured.
Trimble also recommends reviewing attachment directory configurations. The company advises that attachment directory root configuration should be limited to folders/subfolders that only contain attachments to prevent potential security risks.
In conjunction with the vulnerability disclosure, Trimble has provided a list of Indicators of Compromise (IOCs) to help organizations detect potential exploitation attempts.
These IOCs include SHA256 hashes of malicious files, file paths, IP addresses, and domain names associated with the attacks.
CISA strongly encourages Cityworks customers to take the following actions:
- Apply the latest security updates: Upgrade to Cityworks versions 15.8.9 or 23.10 as soon as possible.
- Review and harden IIS identity permissions: Ensure that IIS is not running with excessive privileges.
- Validate attachment directory configurations: Limit attachment directory root configuration to folders/subfolders containing attachments only.
- Monitor for IOCs: Utilize the provided IOCs to detect potential malicious activity within your network.
A Nuclei template is available to assist in detecting vulnerable instances. This template extracts the version stored in the HTML body and determines vulnerability to CVE-2025-0994. To use the Nuclei template:
- Download Nuclei.
- Copy the template to your local system.
- Run the command:
nuclei -u https://yourHost.com -t template.yaml.
Organizations are encouraged to act swiftly to mitigate risks associated with CVE-2025-0994 and to stay informed through official channels for any further updates or patches from Trimble.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
The post CISA Warns of Trimble Cityworks RCE Vulnerability Exploited to Hack IIS Servers appeared first on Cyber Security News.
