Cityworks, an enterprise asset management software developed by Trimble, has recently come under scrutiny due to the discovery of a critical zero-day vulnerability. Known as CVE-2025-0994, this flaw has been identified as a high-severity deserialization vulnerability, which permits remote code execution (RCE) in unpatched versions of the software. The alarming nature of this vulnerability and its active exploitation has compelled immediate and concerted action from both Trimble and cybersecurity authorities to mitigate risks and safeguard affected systems.
Understanding the CVE-2025-0994 Vulnerability
Nature of the Vulnerability
The CVE-2025-0994 vulnerability is classified as a deserialization of untrusted data flaw, striking at the software’s core integrity. It afflicts all versions of the Cityworks EAM (Enterprise Asset Management) product prior to version 15.8.9, as well as Cityworks with Office Companion releases preceding version 23.10. Essentially, this vulnerability allows an authenticated user to perform remote code attacks on a customer’s Microsoft Internet Information Services (IIS) web server, thereby compromising the system’s security and functionality. These remote code executions pose significant risks, enabling malicious actors to gain unauthorized access, manipulate data, or disrupt services.
Active Exploitation and Response
The Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of this vulnerability, although the full extent of these offensive activities remains undisclosed. In response, Trimble, the technology vendor behind Cityworks, acted decisively. The company swiftly provided patches and advisory notes to its customers. Trimble recommended that on-premises customers update their systems to the latest versions (15.8.9 for Cityworks EAM and 23.10 for Cityworks with Office Companion). Furthermore, Cityworks Online (CWOL) deployments benefit from automatic updates, adding a layer of convenience and security for these users. This prompt response underscores the criticality of the vulnerability and the need for immediate remediation.
Mitigation Measures and Recommendations
Overprivileged IIS Identity Permissions
One of the mitigating steps highlighted by Trimble is the correction of overprivileged IIS identity permissions in on-premises deployments. Some systems were found to be operating with IIS running on local or domain-level administrative privileges, which could lead to elevated risks if exploited. Customers are strongly advised to reassess and ensure that IIS does not operate under such elevated permissions. Detailed guidance for updating these identity permissions is accessible on the Cityworks Support Portal. Trimble further reassured that CWOL customers already have suitably configured IIS identity permissions, thereby reducing their risk.
Attachment Directory Configurations
Another critical recommendation from Trimble involved the configuration of attachment directories. Some Cityworks deployments were identified with inappropriate attachment directory setups. Attachment directories should strictly be confined to folders and subfolders exclusively containing valid attachments, preventing unauthorized data from being inadvertently executed or accessed. Trimble provided specific instructions for properly configuring these directories, available on the Cityworks Support Portal. Such proactive measures, when combined with patch updates, greatly enhance the overall security posture of the deployment.
Impact and Severity of the Vulnerability
CVSS Scores and Severity
In terms of impact, the CVE-2025-0994 vulnerability bears a significant threat level as evidenced by its assignment of a CVSS version 3.1 base score of 7.2 and a CVSS version 4 score of 8.6. These scores reflect high severity, indicating the potential for substantial damage if left unaddressed. The reporting of this vulnerability to CISA by Trimble underscores their commitment to transparent and responsible disclosure, accentuating the criticality of addressing the issue expediently. The elevated CVSS scores highlight the imperative for affected users to apply patches and undertake suggested configurations without delay.
Scope of Exploitation
Piotr Kijewski, CEO of the cybersecurity nonprofit Shadowserver Foundation, provided some context on the scope of the exploitation. He noted that the number of exposed Cityworks instances is relatively limited, with all identified instances located in North America. Kijewski identified five instances that remained unpatched despite advisories. Both Trimble and CISA refrained from commenting on the precise extent of exploitation, maintaining the focus on customer confidentiality and security, consistent with industry best practices. The limited but significant footprint of unpatched systems emphasizes the urgency for organizations to adhere to remediation guidelines.
Trimble’s Proactive Measures
Rapid Response and Customer Communication
Trimble’s approach to managing the vulnerability was characterized by rapid response and transparent communication. Following initial reports of unauthorized access attempts, Trimble quickly alerted customers and embarked on a thorough investigation of the potential threats. The company’s internal security teams identified the deserialization vulnerability, subsequently issuing the necessary security patches. This proactive stance was instrumental in containing potential breaches and exemplifies effective crisis management in the cybersecurity domain.
Additional Cybersecurity Best Practices
Beyond immediate patching, Trimble issued additional recommendations centered on cybersecurity best practices to their on-premises customers. These guidelines aim to bolster system security and prevent recurrence of similar vulnerabilities in the future. By advising on measures such as regular security audits, stringent access controls, and robust data management policies, Trimble demonstrated a commitment to long-term cybersecurity resilience. Their comprehensive advisories and focused recommendations underscore the importance of maintaining vigilant and adaptive security measures in the face of evolving threats.
Collaborative Efforts for Enhanced Security
Involvement of Cybersecurity Authorities
The involvement of the Cybersecurity and Infrastructure Security Agency (CISA) played a pivotal role in addressing the CVE-2025-0994 vulnerability. This collaboration between a major tech vendor and a federal cybersecurity authority underscores the critical nature of the vulnerability and the imperative for users to apply the recommended updates and configurations. CISA’s advisory coupled with Trimble’s swift response illustrates the effectiveness of coordinated efforts in mitigating cybersecurity risks. Such partnerships are crucial in fostering a secure digital ecosystem, capable of withstanding sophisticated cyber threats.
Importance of Adhering to Vendor Advisories
Cityworks, an enterprise asset management software by Trimble, has recently faced significant scrutiny. This is due to the identification of a critical zero-day vulnerability, officially cataloged as CVE-2025-0994. The vulnerability is a high-severity deserialization issue, which poses a serious threat as it allows remote code execution (RCE) in versions of the software that have not been updated with the necessary patches. The discovery of this alarming flaw, along with active exploitation by malicious actors, has prompted urgent and coordinated efforts from both Trimble and cybersecurity authorities to address the vulnerability. These efforts are focused on mitigating the associated risks and ensuring the protection of systems currently using the software. Users and administrators are strongly advised to apply the latest security updates immediately to defend against potential breaches. Trimble is also working closely with industry experts and stakeholders to provide the tools and resources necessary to secure their asset management systems in the wake of this critical exposure.
