CVE-2025-0994

CVE-2025-0994 is a deserialization vulnerability (CWE-502) affecting Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10. The flaw targets the Microsoft Internet Information Services (IIS) web server hosting these applications, enabling remote code execution. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts across confidentiality, integrity, and availability.

An authenticated user with low privileges (PR:L) can exploit the vulnerability remotely without requiring user interaction. By leveraging the deserialization flaw, the attacker achieves remote code execution directly on the customer's IIS web server, potentially compromising the entire server environment.

Advisories recommend upgrading to Trimble Cityworks 15.8.9 or later and Cityworks office companion 23.10 or later to mitigate the issue. Key references include Trimble's customer communication at https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?, CISA ICSA-25-037-04 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04, and its listing in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994, signaling active real-world exploitation.