The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has warned {that a} safety flaw impacting Trimble Cityworks GIS-centric asset control instrument has come below lively exploitation within the wild.
The vulnerability in query is CVE-2025-0994 (CVSS v4 ranking: 8.6), a deserialization of untrusted knowledge trojan horse that might allow an attacker to habits far off code execution.
“This may permit an authenticated consumer to accomplish a far off code execution assault towards a buyer’s Microsoft Web Knowledge Services and products (IIS) internet server,” CISA mentioned in an advisory dated February 6, 2025.
The flaw impacts the next variations –
- Cityworks (All variations prior to fifteen.8.9)
- Cityworks with place of work better half (All variations previous to 23.10)
Whilst Trimble has launched patches to deal with the safety defect as of January 29, 2025, CISA has warned that it’s being weaponized in real-world assaults.
The Colorado-headquartered corporate additionally famous that it has won experiences of “unauthorized makes an attempt to achieve get right of entry to to precise consumers’ Cityworks deployments.”
Signs of compromise (IoCs) launched via Trimble display that the vulnerability is being exploited to drop a Rust-based loader that launches Cobalt Strike and a Move-based far off get right of entry to device named VShell, amongst different unidentified payloads.
It is lately now not identified who’s in the back of the assaults, and what the tip purpose of the marketing campaign is. Customers operating affected variations of the instrument are recommended to replace their circumstances to the newest model for optimum coverage.