Hackers hijack government software to infiltrate sensitive servers.

Trimble has reported that its Cityworks software is being exploited in Remote Code Execution (RCE) attacks. This notice comes after the company detected that cybercriminals were leveraging a deserialization vulnerability in their product to deploy Cobalt Strike beacons on Microsoft Internet Information Services (IIS) servers.

Cityworks is an asset and permissions management software based on Geographic Information Systems (GIS) that helps local governments and utilities manage infrastructure, maintenance, and operations efficiently. However, it was found to be exposed to the vulnerability CVE-2025-0994, a high-severity flaw that allows RCE, with a severity score of 8.6.

In response to this threat, Trimble has released updates for its software. According to a statement directed to customers and partners, the company launched version 15.8.9 for Cityworks 15.x and version 23.10 for Cityworks 23.x. Additionally, it was warned about the existence of on-premises deployments with excessive IIS identity permissions and incorrect attachment directory configurations.

Trimble emphasizes the importance of addressing these issues comprehensively to mitigate the threat and resume normal operations with Cityworks. Although there is no clear information on the scale of the attack or whether any organization has been compromised, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a coordinated alert urging users to apply the fixes as soon as possible. In its advisory, CISA also reminded organizations of the need to conduct an impact analysis and risk assessment before implementing defensive measures and to follow established internal procedures for reporting suspicious activities.