- Trimble warns that Cityworks is mistreated in RCE attacks
- The company has published a fix to solve the problem
- Cisa warns users to apply the patch as soon as possible
Pirates divert government software to access sensitive servers, experts warned.
The warning comes from the supplier of Trimble software, whose product seems to have been used in the attack. In a letter sent to its customers and partners, Trimble said that he had observed cybercriminals abusing a vulnerability of deialialization in his CityWorks product to engage in the execution of the remote code (RCE) and deploy cobalt striking beacons on servers Microsoft Internet Information Services (IIS).
Trimble CityWorks is asset management software and geographic assets (GIS) designed to help local governments and public services effectively manage infrastructure, maintenance and operations. It turned out to be vulnerable to the CVE-2025-0994, a high severity dereialization bug allowing RCE, given a gravity score of 8.6 (high).
Post the flaw
“Following our surveys on unauthorized attempt reports to access Cityworks deployments of specific customers, we have three updates to provide you,” said the company in the letter. To combat the threat, Trimble updated Cityworks 15.x to version 15.8.9 and 23.x to 23.10. He also warned of discovering certain deployments on site with surprised IIS identity authorizations, and added that certain deployments of HAID attachment directory configurations.
All these elements must be treated at the same time, to alleviate the threat and resume normal operations with City Works.
We do not know what is the size of the attack, or if organizations have been compromised accordingly, but the US Cybersecurity and Infrastructure Security Agency (CISA) has published a coordinated opinion, urging customers to apply the fixes as soon as possible , Bleepculler found. “The CISA reminds organizations to carry out an appropriate impact analysis and risk assessment before deploying defensive measures,” he was notified.
“Organizations observing a suspected malicious activity should follow the internal procedures established and report the results to the CISA for monitoring and correlation with other incidents.”
Via Bleeping Compompute
