SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-0994

CVE-2025-0994: Trimble Cityworks RCE Vulnerability

CVE-2025-0994 is a deserialization RCE vulnerability in Trimble Cityworks that enables authenticated attackers to execute remote code on IIS web servers. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-0994 Overview

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 suffer from a deserialization vulnerability that could facilitate remote code execution attacks by authenticated users against a Microsoft IIS web server.

Critical Impact

This vulnerability allows remote code execution, posing significant risks to server integrity and data security.

Affected Products

  • Trimble Cityworks versions prior to 15.8.9
  • Cityworks with office companion versions prior to 23.10
  • Microsoft Internet Information Services (IIS) impacted when running vulnerable Cityworks versions

Discovery Timeline

  • Not Available - Vulnerability discovered by Unknown
  • Not Available - Responsible disclosure to Trimble
  • Not Available - CVE CVE-2025-0994 assigned
  • Not Available - Trimble releases security patch
  • 2025-02-06 - CVE CVE-2025-0994 published to NVD
  • 2025-10-30 - Last updated in NVD database

Technical Details for CVE-2025-0994

Vulnerability Analysis

The vulnerability arises from improper deserialization handling in Trimble Cityworks, which allows attackers to inject malicious serialized objects. When the system deserializes these objects, arbitrary code execution can occur, potentially compromising the system.

Root Cause

The root cause is insecure deserialization of user-supplied input without adequate sanitization and validation.

Attack Vector

The attack is executed over the network by an authenticated user through the Cityworks interface, targeting the IIS server running the vulnerable application.

java
// Example exploitation code (sanitized)
ObjectInputStream in = new ObjectInputStream(new FileInputStream("malicious.ser"));
Object obj = (MaliciousObject) in.readObject();
in.close();
obj.execute();  // Arbitrary code execution occurs here

Detection Methods for CVE-2025-0994

Indicators of Compromise

  • Unexpected outbound network traffic from the IIS server
  • Presence of unauthorized serialized objects
  • Anomalies in user activity logs

Detection Strategies

Utilize behavior-based monitoring to track anomalies in application logic and unauthorized serialized object importation. Employ network traffic analysis to identify unauthorized outbound communications.

Monitoring Recommendations

Set up alerts for unusual access patterns and monitor logs for deserialization events. Implement network-based intrusion detection systems (NIDS) to capture exploit attempts.

How to Mitigate CVE-2025-0994

Immediate Actions Required

  • Restrict network access to critical systems running Cityworks
  • Validate and sanitize all user-supplied input
  • Enable application whitelisting on IIS servers

Patch Information

Update Cityworks to version 15.8.9 or later. Refer to Trimble Advisory for patch details.

Workarounds

Disable the deserialization feature in Cityworks temporarily if patching is not feasible. Use application security controls to intercept and block malicious payloads.

bash
# Configuration example
iptables -A OUTPUT -p tcp --dport 80 -d malicious-server.com -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne