A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
According to a Talos intelligence report, the flaw (tracked as CVE-2025-0994) in the Geographic Information System (GIS)-based asset management tool was used by hackers in zero-day exploitation for achieving remote code execution and subsequent malware delivery.
“Talos has found intrusions in enterprise networks of local governing bodies in the United States (US), beginning January 2025 when initial exploitation first took place,” the cybersecurity outfit said in a blog post, attributing the exploitation to the entity it tracks as ‘UAT-6382’.“Based on tooling and tactics, techniques and procedures (TTPs) employed by the threat actor, Talos assesses with high confidence that the exploitation and subsequent post-compromise activity is carried out by Chinese-speaking threat actors.”
The Cybersecurity and Infrastructure Security Agency (CISA) had flagged the flaw in February for its ability to compromise critical ICS systems. Trimble addressed the vulnerability by releasing security updates in January.
Hackers used Cobalt Strike and VShell payloads
Based on evidence presented by Talos, threat actors exploited CVE-2025-0994 to deploy malicious payloads that include Rust-based loaders, obfuscated JavaScript, and tools like Cobalt Strike and VShell for advanced attacks.
“UAT-6382 successfully exploited CVE-2025-0994, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access,“ Talos said. ”Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management.”
Once inside a Cityworks system–often through stolen credentials or phishing–attackers exploited the flaw to upload disguised Rust-based malware loaders quietly. The loader then pulls in malware for persistence or deeper intrusion, some even masking as legitimate Cityworks services, e.g., CityworksCacheLayerService.exe, to avoid raising alarms.
For deeper intrusion, hackers relied on tools like Cobalt Strike and VShell, and slipped malicious JavaScript into overlooked directories.
Deserialization bug allowed RCE on Microsoft IIS
The vulnerability, which impacts Cityworks versions before 15.8.9 and Cityworks with Office Companion versions before 23.10, is a deserialization flaw that was assigned a severity rating of CVSS 8.6 out of 10.
On successful exploitation, the bug allows authenticated attackers to execute remote code (RCE) on a target’s Microsoft Internet Information Services (IIS) web server, a significant risk considering it could lead to unauthorized access and control over critical systems. Trimble had fixed the issue with two January rollouts, Cityworks 15.8.9 and Office Companion 23.10, and urged customers to update affected systems promptly.
“On premise customers should install the updated version immediately,” the company had said. “These updates will be automatically applied to all Cityworks Online (CWOL) deployments.”
As added mitigation steps, Trimble recommended that its on-premise customers not run IIS with local or domain-level administrative privileges on any site, a configuration automatically set for CWOL users.
Inappropriate attachment directory configurations were also flagged by the company with instructions to limit these configurations to folders/subfolders containing only attachments. Talos reported that zero-day exploits aren’t too shocking, considering an Eventus scan in February found 111 publicly accessible Cityworks instances, out of which approximately 21% were found to be vulnerable to CVE-2025-0994.
No Responses