Trimble Cityworks: CVE-2025-0994: Active Exploitation

SUMMARY :

A high-severity deserialization vulnerability in Trimble Cityworks, CVE-2025-0994, affects versions before 15.8.9 and Office Companion versions before 23.10. This flaw allows authenticated attackers to execute remote code on Microsoft IIS web servers. Exploitation indicators suggest the use of Rust-based loaders to deploy VShell and Cobalt Strike. Malicious files, including obfuscated JavaScript and executables, were likely downloaded from Cobalt Strike C2 servers. Shodan reveals 111 exposed Cityworks instances, with 21% vulnerable. The majority are in the US, including .gov domains. Organizations are urged to upgrade to patched versions immediately, as CISA has added this CVE to their Known Exploited Vulnerabilities Catalog.

OPENCTI LABELS :

cobalt strike,remote code execution,critical infrastructure,vshell,cve-2025-0994,trimble cityworks,iis web server,deserialization vulnerability


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Trimble Cityworks: CVE-2025-0994: Active Exploitation