CVE-2025-0994

What is Trimble Cityworks?

Trimble Cityworks is a GIS-centric asset management platform used by local governments, municipalities, utilities, and public works departments to manage infrastructure — roads, bridges, water/wastewater pipes, electrical systems, parks, and public facilities. It integrates with ESRI GIS platforms and allows field workers to track maintenance requests, work orders, and inspection data. The platform is deployed widely across US municipal governments and utilities — organizations that are a key target for Chinese state-sponsored threat actors (Volt Typhoon) seeking pre-positioned access to critical infrastructure.

Overview

CVE-2025-0994 is a deserialization of untrusted data vulnerability (CWE-502) in Trimble Cityworks that allows an authenticated attacker with low-level user privileges to perform remote code execution against the Cityworks IIS web server. CISA issued a 1-day-turnaround KEV listing (published February 6, added February 7) with a CISA ICS Advisory (ICSA-25-037-04) — reflecting rapid confirmation of active exploitation against critical infrastructure targets.

Affected Versions

Trimble published specific affected version details in the customer communication linked above. The vulnerability affects Cityworks server installations configured with Microsoft IIS. Customers should consult the Trimble advisory for their specific version status.

Technical Details

The deserialization vulnerability (CWE-502) allows an authenticated Cityworks user with low privileges (PR:L — any user account) to submit a maliciously crafted serialized object through the web application interface. When the IIS web server deserializes the object, the .NET deserialization mechanism processes attacker-controlled type information and method calls — executing arbitrary code with the privileges of the IIS application pool identity.

In a typical Cityworks deployment, the IIS application pool runs under a service account with access to:

• The Cityworks database (containing infrastructure asset data, work order history)
• The Windows host operating system
• Network resources accessible from the server (potentially internal GIS systems, utility SCADA integration points)

Post-exploitation targeting context: Volt Typhoon (Chinese state-sponsored) has been linked to pre-positioning in water, wastewater, energy, and municipal networks. A compromised Cityworks server — embedded in local government and utility IT infrastructure — provides a foothold for long-term persistent access to critical infrastructure environments.

Discovery

Trimble notified customers directly on February 5, 2025. CISA's 1-day turnaround from CVE publication to KEV listing indicates active exploitation was immediately confirmed.

Exploitation Context

CISA issued a dedicated ICS Advisory (ICSA-25-037-04) alongside the KEV listing, indicating the critical infrastructure sector context. Active exploitation against municipal governments and utilities was confirmed. The targeting pattern is consistent with Chinese state-sponsored actors (Volt Typhoon) pre-positioning in US critical infrastructure, though CISA's advisory did not attribute to a specific actor.

Remediation

1. Apply Trimble Cityworks patches immediately per the customer communication. The CISA deadline was February 28, 2025.
2. Restrict Cityworks access to authenticated internal users only — internet-facing Cityworks deployments should be protected by VPN or IP allowlisting.
3. Review IIS application pool permissions — apply least-privilege to the Cityworks application pool service account; it should not have domain admin or broad network access beyond what Cityworks requires.
4. Hunt for indicators of compromise: look for unusual IIS requests with large serialized payloads, unexpected child processes from the IIS worker process (w3wp.exe), and anomalous network connections from the Cityworks server.
5. Apply network segmentation between the Cityworks server and any OT/SCADA integration points to limit lateral movement potential from a compromised server.