A critical vulnerability in Trimble Cityworks, tracked as CVE-2025-0994, is currently being exploited in the wild, posing significant risks to organizations using affected versions of the software. The flaw, which has a CVSS score of 8.8, is a deserialization vulnerability that could allow authenticated users to execute remote code on systems running Microsoft Internet Information Services (IIS).
The vulnerability affects Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10. It was disclosed on February 6, 2025, and was added to the Known Exploited Vulnerabilities (KEV) catalog by February 7, 2025, highlighting its active exploitation status. The Exploit Prediction Scoring System (EPSS) has rated this vulnerability at 0.751, indicating a high likelihood of exploitation.
A proof-of-concept (PoC) exploit for CVE-2025-0994 is available, which has likely facilitated the rapid exploitation observed in the wild. The vulnerability's Time to Exploit (TTE) was remarkably short, with attackers leveraging it within 0.3 days of its disclosure.
Organizations using Trimble Cityworks should urgently update to version 15.8.9 or later, and Cityworks with office companion users should upgrade to version 23.10 or later to mitigate this threat. Given the vulnerability's severity and active exploitation, immediate attention is required to prevent potential breaches and unauthorized access to critical systems.
CSURFACE