Cyber Resilience

CVE-2025-0994

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 06 February 2025

Published
06 February 2025
Modified
30 October 2025
KEV Added
07 February 2025
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7486 98.9th percentile
Risk Priority 82 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0994 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Trimble Cityworks. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

Trimble Cityworks versions prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10 contain a deserialization vulnerability tracked as CVE-2025-0994 and CWE-502. The flaw resides in the application’s handling of serialized data and affects deployments running on Microsoft Internet Information Services web servers, carrying a CVSS 4.0 score of 8.6.

An authenticated user can supply malicious serialized objects over the network to trigger remote code execution on the underlying IIS server, achieving full control over the web application process without user interaction.

CISA’s ICS advisory ICSA-25-037-04 and Trimble’s customer communication direct organizations to upgrade to the fixed releases and reference the vendor’s patch documentation. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

EPSS for the issue rose from lower values after disclosure to a peak of 0.7780 on 2025-12-11 before receding to the current 0.7486, indicating growing exploitation interest several months post-publication.

EU & UK References

Vulnerability details

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information…

more

Services (IIS) web server.

CWE(s)
KEV Date Added
07 February 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Deserialization flaw in public-facing IIS-hosted web app directly enables remote code execution by authenticated attackers over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59287Shared CWE-502both on KEV
CVE-2026-20963Shared CWE-502both on KEV
CVE-2025-55182Shared CWE-502both on KEV
CVE-2026-45247Shared CWE-502both on KEV
CVE-2025-26399Shared CWE-502both on KEV
CVE-2025-53770Shared CWE-502both on KEV
CVE-2025-40551Shared CWE-502both on KEV
CVE-2026-20131Shared CWE-502both on KEV
CVE-2025-23006Shared CWE-502both on KEV
CVE-2025-24016Shared CWE-502both on KEV

Affected Assets

trimble
cityworks
≤ 15.8.9 · 23.0 — 23.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the deserialization vulnerability in Trimble Cityworks by applying vendor patches to versions 15.8.9 or later, preventing remote code execution on the IIS server.

prevent

Mitigates exploitation of the deserialization flaw by validating and sanitizing authenticated user inputs that could contain malicious serialized payloads.

detect

Detects the presence of CVE-2025-0994 in vulnerable Trimble Cityworks installations via vulnerability scanning, facilitating proactive patching.

References