Trimble, a leading provider of industrial technology solutions, has issued an urgent cybersecurity advisory regarding a critical deserialization vulnerability affecting its Cityworks asset and work management software. Tracked as CVE-2025-0994 and with a CVSS score of 7.2, this flaw is actively being exploited, posing a significant risk to organizations using the platform.
The vulnerability impacts both Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10. Successful exploitation allows an authenticated attacker to execute arbitrary code on the customer’s Microsoft Internet Information Services (IIS) web server, potentially granting them extensive control over the system.
Trimble has released updated versions of Cityworks to address this vulnerability: 15.8.9 for the 15.x branch and 23.10 for the 23.x branch. On-premise customers are strongly urged to install these updates immediately. Cityworks Online (CWOL) deployments will receive the updates automatically.
In addition to applying the updates, Trimble recommends that customers review and adjust their IIS identity permissions and attachment directory configurations. Overprivileged IIS identity permissions or improper attachment directory configurations could exacerbate the impact of this vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) has received reports of active exploitation of this vulnerability. Organizations using Trimble Cityworks are urged to take immediate action to mitigate the risk.
Given the severity of the vulnerability and the ongoing attacks, prompt patching and configuration adjustments are crucial to prevent attackers from compromising Cityworks deployments and potentially disrupting critical infrastructure operations.
