56/68 Monday, February 10, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Trimble Cityworks vulnerability CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) Catalog. Trimble Cityworks is an asset management and permitting software that utilizes GIS technology for local governments, public utilities, and infrastructure organizations. The software integrates with Esri’s ArcGIS to help manage infrastructure systems.
This vulnerability is classified as a Deserialization of Untrusted Data issue, allowing attackers to execute remote code (Remote Code Execution – RCE) on the affected Microsoft IIS servers. It has a CVSS severity score of 8.6 and affects Trimble Cityworks versions prior to 15.8.9 and Cityworks Office Companion versions prior to 23.10.
To mitigate risks associated with this vulnerability, Federal Civilian Executive Branch (FCEB) agencies are required to apply security updates within the designated timeframe. CISA has set a deadline of February 28, 2025, for patching the vulnerability to prevent exploitation and ensure timely remediation of security threats.
