Trimble CityWorks software has been found to have a zero-day vulnerability that allows remote code execution on Microsoft IIS web servers. According to CISA data, this vulnerability has already been exploited in real attacks.
CityWorks is a GIS-oriented solution commonly used by municipal authorities, airports, utilities, and other infrastructure management organizations worldwide, making it an attractive target for cybercriminals.
The successful exploitation of the CVE-2025-0994 vulnerability (CVSS: 8.6) allows an attacker with an account in the system to gain full control over the server where CityWorks is deployed. The vulnerability is related to the deserialization of untrusted data (CWE-502) and affects all versions of CityWorks up to 15.8.9, as well as CityWorks with Office Companion up to version 23.10.
CISA has issued a warning regarding the exploitation of this vulnerability in the industrial sector. However, it has been clarified that CityWorks does not directly control industrial processes, ruling out any impact on ICS systems. According to Trimble, attackers have utilized CVE-2025-0994 to deliver Cobalt Strike and other undisclosed malware, suggesting targeted attacks against specific organizations.
The identity of the attackers remains unknown, but Trimble has received reports of unauthorized access attempts on specific CityWorks deployments. Given the nature of the software’s users, it is possible that the attacks were aimed at critical infrastructure facilities.
Trimble has already released updates for CityWorks versions 15.8.9 and 23.10. Users of CityWorks Online cloud will receive automatic updates, while organizations with local deployments are advised to manually upgrade. It is also recommended to review IIS permissions as they may be excessive, potentially exacerbating the threat.
CISA stresses the importance of implementing security measures such as reviewing directory configurations, minimizing IIS access rights, and deploying updates. The