CVE-2025-0994
Published: 06 February 2025
Summary
CVE-2025-0994 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Trimble Cityworks. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
Trimble Cityworks versions prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10 contain a deserialization vulnerability tracked as CVE-2025-0994 and CWE-502. The flaw resides in the application’s handling of serialized data and affects deployments running on Microsoft Internet Information Services web servers, carrying a CVSS 4.0 score of 8.6.
An authenticated user can supply malicious serialized objects over the network to trigger remote code execution on the underlying IIS server, achieving full control over the web application process without user interaction.
CISA’s ICS advisory ICSA-25-037-04 and Trimble’s customer communication direct organizations to upgrade to the fixed releases and reference the vendor’s patch documentation. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
EPSS for the issue rose from lower values after disclosure to a peak of 0.7780 on 2025-12-11 before receding to the current 0.7486, indicating growing exploitation interest several months post-publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1955
Vulnerability details
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information…
more
Services (IIS) web server.
- CWE(s)
- KEV Date Added
- 07 February 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization flaw in public-facing IIS-hosted web app directly enables remote code execution by authenticated attackers over the network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the deserialization vulnerability in Trimble Cityworks by applying vendor patches to versions 15.8.9 or later, preventing remote code execution on the IIS server.
Mitigates exploitation of the deserialization flaw by validating and sanitizing authenticated user inputs that could contain malicious serialized payloads.
Detects the presence of CVE-2025-0994 in vulnerable Trimble Cityworks installations via vulnerability scanning, facilitating proactive patching.