Cybersecurity experts have warned of an increase in cyberattacks targeting sensitive government servers, exploiting vulnerabilities in government software.
This warning originates from the cybersecurity firm Trimble, which has identified that its Cityworks tool has been used in these attacks.
Trimble alerted its customers through a letter, in which it mentions the discovery of a deserialization vulnerability, labeled as CVE-2025-0994, which allows for remote code execution (RCE) with a high severity score of 8.6.
What we know about this state vulnerability
Exploiting this vulnerability could allow attackers to deploy Cobalt Strike beacons on Microsoft Internet Information Services (IIS) servers.
Cityworks, a geographic information systems (GIS)-based asset and permit management software, is designed to help governments and public services efficiently manage their infrastructure and operations.
After receiving reports of unauthorized access attempts to specific Cityworks implementations, Trimble has released updates to mitigate the risks: version 15.x has been updated to 15.8.9, and 23.x to 23.10.
In addition to the updates, the company warned about incorrect configurations of attachment directories and elevated IIS identity permissions in some on-premise implementations, which could increase risk. Trimble emphasizes that these issues must be addressed simultaneously to resume normal operations with Cityworks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a coordinated advisory, urging affected organizations to apply security patches immediately and conduct an impact analysis and risk assessment before implementing defensive measures.
Organizations that detect malicious activity must follow internal procedures and report any incident to CISA for better tracking.