Full Report
Federal civilian agencies have been ordered to patch a vulnerability impacting Trimble Cityworks — a popular tool used by many governments to manage public infrastructure.
Analysis Summary
# Vulnerability: Remote Code Execution in Trimble Cityworks
## CVE Details
- CVE ID: CVE-2025-0994
- CVSS Score: 8.4 (High)
- CWE: Not explicitly stated in the summary, but related to RCE.
## Affected Systems
- Products: Trimble Cityworks (Asset management system for public infrastructure)
- Versions: All Cityworks versions prior to 15.8.9
- Configurations: Affects deployments running on Microsoft Internet Information Services (IIS) web servers.
## Vulnerability Description
The vulnerability allows malicious actors to potentially conduct Remote Code Execution (RCE) against a customer’s Microsoft Internet Information Services (IIS) web server hosting the Trimble Cityworks deployment.
## Exploitation
- Status: Exploited in the wild (Confirmed by CISA and added to the KEV catalog)
- Complexity: Not explicitly stated, but implies network exploitability given the RCE vector.
- Attack Vector: Network (Implied by RCE against a web server)
## Impact
- Confidentiality: Not explicitly stated (Likely High due to RCE)
- Integrity: Not explicitly stated (Likely High due to RCE)
- Availability: Not explicitly stated (Likely High due to RCE)
## Remediation
### Patches
- Patch released on January 29.
- Upgrade to Cityworks version 15.8.9 or later.
### Workarounds
- Customers should limit permissions connected to Cityworks.
- The system “should not be run with local or domain level administrative privileges on any site.”
## Detection
- Indicators of Compromise (IoCs) were provided alongside the customer communication letter.
- Detection methods rely on monitoring unauthorized access attempts targeting Cityworks deployments.
## References
- [Vendor advisory/Customer Communication](https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-06-docx/)
- [CISA KEV Catalog Update](https://www.cisa.gov/news-events/alerts/2025/02/07/cisa-adds-one-known-exploited-vulnerability-catalog)
- [CISA ICS Advisory](https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04)