CVE-2025-0994
Published: 06 February 2025
Summary
CVE-2025-0994 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Trimble Cityworks. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the deserialization vulnerability in Trimble Cityworks by applying vendor patches to versions 15.8.9 or later, preventing remote code execution on the IIS server.
Mitigates exploitation of the deserialization flaw by validating and sanitizing authenticated user inputs that could contain malicious serialized payloads.
Detects the presence of CVE-2025-0994 in vulnerable Trimble Cityworks installations via vulnerability scanning, facilitating proactive patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization flaw in public-facing IIS-hosted web app directly enables remote code execution by authenticated attackers over the network.
NVD Description
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information…
more
Services (IIS) web server.
Deeper analysisAI
CVE-2025-0994 is a deserialization vulnerability (CWE-502) affecting Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10. The flaw targets the Microsoft Internet Information Services (IIS) web server hosting these applications, enabling remote code execution. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts across confidentiality, integrity, and availability.
An authenticated user with low privileges (PR:L) can exploit the vulnerability remotely without requiring user interaction. By leveraging the deserialization flaw, the attacker achieves remote code execution directly on the customer's IIS web server, potentially compromising the entire server environment.
Advisories recommend upgrading to Trimble Cityworks 15.8.9 or later and Cityworks office companion 23.10 or later to mitigate the issue. Key references include Trimble's customer communication at https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?, CISA ICSA-25-037-04 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04, and its listing in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994, signaling active real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 07 February 2025