Trimble Cityworks bug used to run remote code execution attacks. When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. Hackers are hijacking government software to access sensitive servers, experts have warned. The warning comes from software vendor Trimble, whose product seems to have been used in the attack. In a letter sent to its customers and partners, Trimble said it observed cybercriminals abusing a deserialization vulnerability in its Cityworks product to engage in Remote Code Execution (RCE) and deploy Cobalt Strike beacons on Microsoft Internet Information Services (IIS) servers.
![[Avast cybersecurity]](https://vanilla.futurecdn.net/cyclingnews/media/img/missing-image.svg)
Trimble Cityworks is a Geographic Information System (GIS) asset management and permitting software designed to help local governments and utilities manage infrastructure, maintenance, and operations efficiently. It was found to have been vulnerable to CVE-2025-0994, a high-severity deserialization bug allowing for RCE, given a severity score of 8.6 (high). “Following our investigations of reports of unauthorized attempts to gain access to specific customers’ Cityworks deployments, we have three updates to provide you,” the company said in the letter. To tackle the threat, Trimble updated Cityworks 15.x to version 15.8.9, and 23.x to 23.10. It also warned about discovering some on-prem deployments having overprivileged IIS identity permissions, and added that some deployments haid incorrect attachment directory configurations.
All of these should be addressed at the same time, to mitigate the threat and resume normal operations with Cityworks. We don’t know how big the attack is, or if any organizations were compromised as a result, but the US Cybersecurity and Infrastructure Security Agency (CISA) has released a coordinated advisory, urging customers to apply the patches as soon as possible, BleepingComputer has found. “CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures,” it was said in the advisory.
“Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.”. Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!. Via BleepingComputer. Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Please logout and then login again, you will then be prompted to enter your display name. Huge cyber attack under way - 2.8 million IPs being used to target VPN devices. HPE starts contacting victims of 2023 Russian cyberattack. 'Our goal is to make the best movie possible': Captain America: Brave New World director and producer address the Marvel film's extensive reshoots and poor test screening rumors.
