CVE-2025-0994 is a high-severity deserialization vulnerability in Trimble Cityworks, an asset management and work order software designed for local governments and utilities. The critical infrastructure sectors Cityworks services include water and wastewater systems, energy, transportation systems, government services and facilities, and communications.

The vulnerability affects Cityworks versions before 15.8.9 and Cityworks with Office Companion versions before 23.10.

Successfully exploiting CVE-2025-0994 can allow authenticated attackers to conduct remote code execution (RCE) against a target’s Microsoft Internet Information Services (IIS) web server.

Figure 1: Login page on an exposed Cityworks instance (Source: Recorded Future)

Insikt Group’s Assessment of CVE-2025-0994

Indicators of compromise (IoCs) shared by Trimble suggest that the vulnerability is being exploited to deliver custom Rust-based loaders capable of loading VShell and Cobalt Strike into memory. Additionally, the threat actors delivered an obfuscated JavaScript payload located in the “%TEMP%” folder, two unknown files, three malicious executables with randomized, alphanumeric filenames (for example, “fq1u4t83[.]exe”), and two files masquerading as legitimate services (“winpty.dll” and “winpty-agent[.]exe”).

The malicious files were likely downloaded into the victim's environment from threat actor-controlled Cobalt Strike C2 servers.

Based on the IoCs shared by Trimble, the threat actors used 192.210.239[.]172:3219 and 192.210.239[.]172:4219 as staging infrastructure. Insikt Group has validated this IP address as a C2 server for Cobalt Strike.

There is insufficient evidence to definitively confirm which files were transferred from the threat actor’s infrastructure; however, the obfuscated alphanumeric-named executables stored in the “\Temp” folder or the JavaScript payload are two possibilities.

At the time of writing, there were 111 exposed Cityworks instances on Shodan, 21% of which are vulnerable based on identified version numbers. The majority of exposed instances are also geolocated in the US and include multiple .gov domains.

Figure 2: Nearly 95% of exposed Cityworks instances on Shodan are geolocated in the US (Sources: Shodan, Recorded Future)

Trimble shared the following list of IoCs related to their observed exploitation of CVE-2025-0994: