Hackers Breach Microsoft IIS Servers Using Cityworks RCE Bug. Here is a quick look at what to know.

Hackers have found a way to exploit a critical vulnerability in Trimble Cityworks software, targeting Microsoft IIS servers. The flaw, known as CVE-2025-0994, lets attackers remotely run commands on affected servers. Cityworks is widely used by local governments, utilities, and public works organizations.

Urgent Security Updates Released

Trimble has issued security updates to fix the vulnerability. They strongly advise customers to apply these updates right away. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also warns users about the active exploitation of this flaw.

How the Bug Works

This vulnerability arises from a deserialization issue. It allows authenticated users to remotely execute code on a customer’s IIS servers. Successful attacks could lead to unauthorized access to data, disruption of services, and control over affected systems.

Spotting the Threat

Trimble has provided indicators of compromise (IOCs) to help organizations detect attacks. These include hashes of malicious files, file paths, IP addresses, and domain names related to the attacks. Administrators should review and tighten their IIS identity permissions and check attachment directory settings.

CISA’s Involvement

CISA has added CVE-2025-0994 to its Known Exploited Vulnerabilities Catalog. They require Federal Civilian Executive Branch (FCEB) agencies to fix the flaw by February 28, 2025. Users and administrators are urged to look for IOCs and apply the necessary updates and workarounds.

Update to Stay Safe

Trimble advises Cityworks customers to upgrade to the latest versions (15.8.9 and 23.10). These updates are automatically applied to Cityworks Online (CWOL) deployments. On-premise customers need to manually install the updates to protect their systems.

Secure Attachment Folders

In addition to applying updates, Trimble recommends restricting attachment root folders to contain only attachments. This helps prevent potential security risks from incorrect attachment directory settings.

CISA’s Advisory

CISA has released an advisory, urging customers to secure their networks immediately. They haven’t detailed how the flaw is being exploited, but Trimble has shared indicators of compromise for the attacks.

These indicators help organizations detect and respond to potential threats quickly. CISA also recommends implementing additional security measures, such as network segmentation and enhanced monitoring, to further protect against exploitation.

Impact on Users

Cityworks is a GIS-centric solution used globally to manage infrastructure. The vulnerability affects versions before 15.8.9 and Cityworks with office companion versions before 23.10. The latest versions, released in January 2025, fix the flaw.

This issue has significant implications for organizations relying on Cityworks, as it could lead to disruptions in services, unauthorized access to sensitive data, and potential financial losses. Upgrading to the latest versions and following Trimble’s security recommendations are crucial steps to ensure the safety and integrity of the systems.

Take Immediate Action

Administrators managing on-premise deployments should apply the security update as soon as possible. Cloud-hosted instances (CWOL) will get the updates automatically. Some on-premises deployments might have overprivileged IIS identity permissions, so administrators should ensure these permissions aren’t running with local or domain-level administrative privileges.

Conclusion

The Cityworks RCE bug’s exploitation underscores the need for timely security updates and proactive network management. Organizations using Trimble Cityworks should act immediately to secure their systems and prevent potential breaches.

---

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it