FOCUS MODE
EXTRACT IOC
MINDMAP
Threat Research

Trimble Cityworks: CVE-2025-0994

RecordedFuture
Trimble Cityworks: CVE-2025-0994
CVE-2025-0994 represents a severe deserialization vulnerability in Trimble Cityworks, impacting various critical infrastructure sectors including water, energy, and government services. Exploiting this vulnerability allows authenticated attackers to execute remote code on Microsoft IIS servers. Versions of Cityworks prior to 15.8.9 and Cityworks with Office Companion before 23.10 are affected. The exploitation has led to the delivery of malicious payloads, including Rust-based loaders and Cobalt Strike. Affected: Trimble Cityworks, Microsoft IIS, critical infrastructure sectors

Keypoints :

  • CVEs are high-severity deserialization vulnerabilities.
  • Trimble Cityworks is used by local governments and utilities.
  • The vulnerability allows authenticated attackers to perform remote code execution.
  • Versions before Cityworks 15.8.9 and Office Companion 23.10 are vulnerable.
  • Malicious payloads include Rust-based loaders, obfuscated JavaScript, and various executables.
  • 111 exposed Cityworks instances were identified, with 21% vulnerable.
  • The majority of vulnerable instances are geolocated in the US, many associated with .gov domains.
  • Mitigation is essential, with upgrades recommended to safeguard systems.

MITRE Techniques :

  • T1203: Exploit Public-Facing Application – Exploiting the deserialization vulnerability on public-facing Cityworks instances.
  • T1071: Application Layer Protocol – Utilizing custom payloads to communicate with Cobalt Strike infrastructure.
  • T1055: Process Injection – Loading malicious processes like VShell and Cobalt Strike into memory.
  • T1036: Masquerading – Renaming files to disguise them as legitimate services.
  • T1105: Remote File Copy – Transferring malicious executables from the threat actor’s infrastructure to the victim’s systems.

Indicator of Compromise :

  • [SHA-256] 4b7561e27c87a1895446d7f2b83e2d9fcf71e6d6e8bc99d44818dc39a6ff99d5
  • [SHA-256] 4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9
  • [IPv4:port] 192.210.239[.]172:3219
  • [IPv4:port] 192.210.239[.]172:4219
  • [File] fq1u4t83[.]exe

Full Story: https://www.recordedfuture.com/blog/trimble-cityworks-cve-2025-0994-vulnerability-analysis

Views: 72

Tags: VULNERABILITY, GOVERNMENT, CRITICAL INFRASTRUCTURE, PAYLOAD, CVE, EXPLOIT