Hackers are exploiting a vulnerability in Trimble Cityworks, a widely-used asset management system by local and federal government agencies to manage public infrastructure, according to a recent warning from the Cybersecurity and Infrastructure Security Agency (CISA) and Trimble. The bug, identified as CVE-2025-0994, allows malicious actors to perform remote code execution on a customer’s Microsoft Internet Information Services (IIS) web server. Federal civilian agencies have been instructed to patch the vulnerability by February 28.
Trimble Cityworks is integral for managing infrastructure assets for various entities, including airports, utilities, municipalities, and counties. A patch for the vulnerability was released on January 29, and Trimble has provided additional guidelines to mitigate exposure.
Hackers exploit Cityworks flaw
These include limiting permissions connected to Cityworks and ensuring the system is not run with local or domain-level administrative privileges on any site. CISA noted that Trimble reported the vulnerability, with contributions from Symantec’s Threat Hunter team. The bug has a CVSS v4 severity score of 8.4 out of 10 and affects all Cityworks versions before 15.8.9.
Although Trimble did not comment on the specific actions hackers took after exploiting the vulnerability, the company emphasized the importance of implementing the patch and following recommended security practices.
Trimble, a Colorado-based technology provider with over 11,000 employees in 40 countries, also provided indicators of compromise to help customers identify potential exploitation attempts. In the last fiscal quarter, Trimble reported revenue of $875.8 million. The Cityworks platform helps customers manage critical infrastructure assets and organize inspections, work orders, permits, operations, etc.
Photo by Clint Patterson
