The Trimble GIS-centric asset management software has been subject to active exploitation in the wild thanks to a security flaw, according to the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ).
The risk in question is CVE-2025-0994 ( CVSS v4 report: 8.6), a deserialization of untrusted information insect that could permit an intruder to conduct remote script execution.
In a CISA advisory from February 6, 2025, CISA stated that” this could allow an authenticated user to launch a remote code execution attack against a customer’s Microsoft Internet Information Services ( IIS ) web server.
The error affects the following types:
- Cityworks ( All versions prior to 15.8.9 )
- Cityworks with an office companion ( All versions before 23.10 )
CISA has warned that the security flaw is being used in real-world strikes, despite Trimble having released patches to fix it as of January 29, 2025.
The Colorado-based business added that it has received reports of “unauthorized efforts to gain access to specific users ‘ Cityworks deployments.”
Indicators of compromise ( IoCs ) by Trimble demonstrate that the vulnerability is being abused to launch Cobalt Strike and a Go-based remote access tool named , among other unidentified payloads.
Who is now responsible for the attacks and what the campaign’s ultimate goal is is unknown. Users who use the software’s disturbed versions are advised to update their instances to the most recent type for maximum protection.