Skip to main content
close search
site logo
Dive Brief

CISA warns of hackers targeting vulnerability in Trimble Cityworks to conduct RCE

The software is widely used in projects by local governments, utilities, airports and other facilities.

Published Feb. 10, 2025
David Jones's headshot
Reporter
A large sign sits out front of construction technology firm Trimble's headquarters in Westminster, Colorado. The sign reads "Trimble", and a large building looms in the background.
A shot of Trimble's headquarters in Westminster, Colorado, after relocating in 2022. Officials in February 2025, warn of a vulnerability in the company's Cityworks application being targeted. Courtesy of Trimble

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency warned hackers are targeting a vulnerability in Trimble Cityworks that could allow an attacker to conduct remote code execution. 
  • The deserialization vulnerability, tracked as CVE-2025-0994, can enable an attacker to conduct remote code execution against a user’s Microsoft Internet Information Services web server, according to the CISA advisory. 
  • Trimble discovered the vulnerability after it was warned about third-party attempts to gain access to certain Cityworks deployments, a spokesperson told Cybersecurity Dive via email.

Dive Insight:

Trimble Cityworks is asset management software used to help organize various projects, including local government, utilities, airports and other types of facilities. 

After investigating the warnings of third-party exploitation, the company issued a patch for the affected versions, the spokesperson said.

Trimble warned customers that some on-premises deployments may have overprivileged Internet Information Services identity permissions. Trimble advised that IIS should not be run “with local or domain level administrative privileges on any site.”

CISA added the vulnerability to its known exploited vulnerabilities catalog.

Researchers from Symantec warned that a range of tools were being used in threat activity, including Cobalt Strike, variants of privilege escalation tool GodPotato and JavaScript reconnaissance tools, according to a document seen by Cybersecurity Dive. 

Editors' picks

Company Announcements

View all | Post a press release
Moving On IT Gears Up for Explosive Growth in 2025
From Moving On IT | Tomorrow's Technology. Today.
January 22, 2025
Americans Growing More Dependent on Digital Services, but Trust in Data Privacy Remains Low, N…
From Upwind
January 28, 2025
Invary’s Mission to Ensure the Confidentiality and Security of Systems at Runtime Accelerates …
From Invary
February 03, 2025
Cobalt Iron Compass® Named a DCIG TOP 5 Enterprise VMware Backup Solution for 2025-26
From Cobalt Iron
February 05, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.