Hackers Exploit Cityworks RCE Bug to Breach Microsoft IIS Servers
Summary:
CISA has added a new vulnerability to its KEV catalog, impacting Trimble’s Cityworks, a GIS-centric asset management software used by local governments, utilities, and public works organizations, to manage public assets, work orders, permitting, licensing, capital planning, and budgeting. The vulnerability, tracked as CVE-2025-0994, pertains to a deserialization of untrusted data bug, which could allow attackers to perform a remote code execution attack against a customer’s Microsoft Internet Information Services web server. Although Trimble patched the flaw on January 29, 2025, the vendor has received reports of actors gaining unauthorized access to customer networks by leveraging CVE-2025-0994.
Security Officer Comments:
Based on indicators of compromise shared by Trimble, CVE-2025-0094 is being exploited to deploy a Rust-based loader that launches Cobalt Strike and a Go-based remote access tool dubbed VShell. Cobalt Strike is a legitimate penetration testing tool often used for simulating cyberattacks, including tactics like post-exploitation and lateral movement within a network. However, it is also frequently exploited by threat actors for malicious purposes, such as deploying payloads, maintaining persistence, and executing code remotely. Although the recent attacks exploiting CVE-2025-0094 have not yet been attributed to a known adversary, the use of tools like Cobalt Strike and VShell could enable attackers to monitor victim systems and potentially deploy additional payloads, such as ransomware, to carry out more destructive attacks.
Suggested Corrections:
CVE-2025-0094 has been addressed in Cityworks versions 15.8.9 and 23.10. Administrators should apply the security updates to their on-premise deployments as soon as possible to prevent potential exploitation attempts.
Trimble has identified that some on-premise deployments may have overly permissive Internet Information Services (IIS) identity permissions. To mitigate this risk, IIS should not be run with local or domain-level administrative privileges, as outlined in Trimble's technical documentation. Additionally, some deployments have incorrect attachment directory configurations. Trimble advises limiting the attachment directory root to only folders containing attachments. For detailed instructions on updating IIS identity permissions and configuring the attachment directory, please refer to the latest release notes in the Cityworks Support Portal (login required).
IOCs:
https://learn.assetlifecycle.trimbl...orks-customer-communication-2025-02-06-docx/0
Link(s):
https://www.bleepingcomputer.com/ne...orks-rce-bug-to-breach-microsoft-iis-servers/
CISA has added a new vulnerability to its KEV catalog, impacting Trimble’s Cityworks, a GIS-centric asset management software used by local governments, utilities, and public works organizations, to manage public assets, work orders, permitting, licensing, capital planning, and budgeting. The vulnerability, tracked as CVE-2025-0994, pertains to a deserialization of untrusted data bug, which could allow attackers to perform a remote code execution attack against a customer’s Microsoft Internet Information Services web server. Although Trimble patched the flaw on January 29, 2025, the vendor has received reports of actors gaining unauthorized access to customer networks by leveraging CVE-2025-0994.
Security Officer Comments:
Based on indicators of compromise shared by Trimble, CVE-2025-0094 is being exploited to deploy a Rust-based loader that launches Cobalt Strike and a Go-based remote access tool dubbed VShell. Cobalt Strike is a legitimate penetration testing tool often used for simulating cyberattacks, including tactics like post-exploitation and lateral movement within a network. However, it is also frequently exploited by threat actors for malicious purposes, such as deploying payloads, maintaining persistence, and executing code remotely. Although the recent attacks exploiting CVE-2025-0094 have not yet been attributed to a known adversary, the use of tools like Cobalt Strike and VShell could enable attackers to monitor victim systems and potentially deploy additional payloads, such as ransomware, to carry out more destructive attacks.
Suggested Corrections:
CVE-2025-0094 has been addressed in Cityworks versions 15.8.9 and 23.10. Administrators should apply the security updates to their on-premise deployments as soon as possible to prevent potential exploitation attempts.
Trimble has identified that some on-premise deployments may have overly permissive Internet Information Services (IIS) identity permissions. To mitigate this risk, IIS should not be run with local or domain-level administrative privileges, as outlined in Trimble's technical documentation. Additionally, some deployments have incorrect attachment directory configurations. Trimble advises limiting the attachment directory root to only folders containing attachments. For detailed instructions on updating IIS identity permissions and configuring the attachment directory, please refer to the latest release notes in the Cityworks Support Portal (login required).
IOCs:
https://learn.assetlifecycle.trimbl...orks-customer-communication-2025-02-06-docx/0
Link(s):
https://www.bleepingcomputer.com/ne...orks-rce-bug-to-breach-microsoft-iis-servers/