CVE-2025-0994

Known Exploited

Description

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.

Remediation

Solution:

  • Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025). Information on the updated versions will be available through the normal channels via the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login required). On-premise customers should install the updated version immediately. These updates will be automatically applied to all Cityworks Online (CWOL) deployments.

Workaround:

  • Trimble has observed that some on-premise deployments may have overprivileged Internet Information Services (IIS) identity permissions. For avoidance of doubt, and in accordance with Trimble's technical documentation, IIS should not be run with local or domain level administrative privileges on any site. Please refer to the direction in the latest release notes in the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login required) for more information on how to update IIS identity permissions. Trimble's CWOL customers have their IIS identity permissions set appropriately and do not need to take this action. Trimble has observed that some deployments have inappropriate attachment directory configurations. Trimble recommends that attachment directory root configuration should be limited to folders/subfolders which only contain attachments. Please refer to the direction in the latest release notes in the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login required) for more information on how to ensure proper configuration of the attachment directory.

Category

8.6
CVSS
Severity: High
CVSS 4.0 •
CVSS 3.1 •
EPSS 73.04% Top 5%
KEV Since 
Vendor Advisory trimble.com
Affected: Trimble Cityworks
Affected: Trimble Cityworks (with office companion)
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04 third party advisory us government resource government resource
https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0? vendor advisory

Frequently Asked Questions

What is the severity of CVE-2025-0994?
CVE-2025-0994 has been scored as a high severity vulnerability.
How to fix CVE-2025-0994?
To fix CVE-2025-0994: Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025). Information on the updated versions will be available through the normal channels via the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login required). On-premise customers should install the updated version immediately. These updates will be automatically applied to all Cityworks Online (CWOL) deployments.
Is CVE-2025-0994 being actively exploited in the wild?
It is confirmed that CVE-2025-0994 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~73% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-0994?
CVE-2025-0994 affects Trimble Cityworks, Trimble Cityworks (with office companion).
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.