Trimble’s Cityworks enterprise asset management product is facing a severe security threat due to a zero-day vulnerability that allows for remote code execution. The vulnerability, known as CVE-2025-0994, exists in all versions of Cityworks EAM product prior to 15.8.9 as well as versions of Cityworks with Office Companion prior to 23.10. This flaw could potentially enable an authenticated user to execute a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server, as highlighted in a CISA advisory released last Thursday.
The advisory from CISA revealed that there have been reports of active exploitation of this vulnerability. However, it was emphasized that Cityworks software does not have the capability to control industrial processes directly and is not a part of an Industrial Control System (ICS). When questioned about the extent of the exploitation, CISA chose not to provide any further comments on the matter.
In response to the security threat, Trimble issued its advisory with indicators of compromise and urged on-premises customers to immediately install the updated 15.8.9 and 23.10 versions of Cityworks. It was also recommended that customers ensure the proper configuration of Internet Information Services (IIS) identity permissions and attachment directory settings to mitigate any potential risks.
After applying the necessary patches and following the mitigation advice, customers can resume normal operation of Cityworks, including the use of Office Companion. The severity of the vulnerability was reflected in the CVE scores, with a base score of 7.2 under CVSS version 3.1 and a score of 8.6 under CVSS version 4. Trimble reported the vulnerability to CISA and has taken steps to address the issue promptly.
Piotr Kijewski, CEO of cybersecurity nonprofit Shadowserver Foundation, mentioned that there are only a few exposed instances of Cityworks globally, with all of them located in North America. He identified five unpatched instances in total, emphasizing the importance of applying the security updates provided by Trimble.
In a statement, Trimble emphasized its commitment to cybersecurity and proactive measures to protect its customer community from potential threats. The company responded swiftly to reports of unauthorized access attempts, discovered the vulnerability within Cityworks, and issued security patches to address the issue. Additionally, Trimble provided cybersecurity best practices recommendations to on-premises customers to enhance their security posture.
While Trimble did not comment on the scope of exploitation, the company remains vigilant in safeguarding its customers’ systems and data from any potential threats. As the cybersecurity landscape continues to evolve, organizations like Trimble play a crucial role in ensuring the security and integrity of their products and services.
Overall, the recent zero-day vulnerability in Cityworks serves as a reminder of the ongoing challenges in cybersecurity and the importance of timely detection, mitigation, and response to security threats in the digital age.