Trimble Cityworks Remote Code Execution Attack

What is the Attack?Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server, potentially resulting in downtime and potential loss of service. According to Trimble Cityworks website, it provides a Geographic Information System (GIS)-centric solution for local governments, utilities, airports, and public works agencies to manage and maintain infrastructure across the full lifecycle. Trimble has investigated customer reports of hackers exploiting the vulnerability to gain unauthorized access to networks, confirming that active exploitation is occurring. CISA has added CVE-2025-0994 to its Known Exploited Vulnerabilities Catalog on February 7, 2025, based on the evidence of active exploitation.In a newly released report dated May 22, 2025, Cisco Talos reveals that UAT-6382 (Chinese hacking group) successfully exploited CVE-2025-0944, carried out reconnaissance, and deployed multiple web shells along with custom malware to establish and sustain long-term access.What is the recommended Mitigation?The CVE-2025-0994 flaw impacts Cityworks versions prior to 15.8.9 and Cityworks with office companion versions before 23.10. Trimble has released updates addressing this deserialization flaw. Ensure these updates are applied to your systems.What FortiGuard Coverage is available?FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor’s advisory. FortiGuard Labs has blocked all the known linked Indicators of Compromise (IOCs) noted on the campaigns. Antimalware and Sandbox Service delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.