{"id":1854,"date":"2025-02-10T12:57:08","date_gmt":"2025-02-10T12:57:08","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1854"},"modified":"2025-02-10T12:57:08","modified_gmt":"2025-02-10T12:57:08","slug":"hackers-breach-microsoft-iis-services-using-cityworks-rce-bug","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1854","title":{"rendered":"Hackers breach Microsoft IIS services using Cityworks RCE bug"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Hackers are exploiting a high-severity remote code execution (RCE) flaw in Cityworks deployments \u2014 a GIS-centric asset and work order management software \u2014 \u00a0to execute codes on a customers\u2019 Microsoft web servers.<\/p>\n

In a coordinated advisory<\/a> with the US Cybersecurity and Infrastructure Security Agency (CISA), Cityworks\u2019 developer Trimble said that the vulnerability, tracked as CVE-2025-0994 with CVSS rating 8.6\/10, is a severe deserialization flaw and that it is working on a fix that will be released in the next software update.<\/p>\n

US Cities including Greeley, Baltimore County, and Newport News, along with critical utilities such as Sacramento Suburban Water District and Bay County Road Commission, depend on Cityworks for asset management. A breach could lead to service disruptions, data exposure, and public safety risks, highlighting the need for prompt patching of this vulnerability.<\/p>\n

\u201cOn-premises customers should install the updated version immediately,\u201d Trimble said. \u201cThese updates will be automatically applied to all Cityworks Online (CWOL) deployments.\u201d<\/p>\n

During their investigation after reports of suspicious activities, Trimble said it found overprivileged permissions and suspicious directory activities on a number of Cityworks deployments.<\/p>\n

\u201cCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures,\u201d CISA said in the advisory.<\/p>\n

<\/a>Hackers performed RCE against Microsoft IIS<\/h2>\n

The hackers reportedly exploited the flaw to run codes remotely on customers\u2019 Microsoft Internet Information Services (IIS) web servers, a software that enables web hosting on Windows-based infrastructure.<\/p>\n

\u201cTrimble has observed that some on-premise deployments may have overprivileged IIS identity permissions,\u201d the company noted. \u201cFor avoidance of doubt, and in accordance with our technical documentation, IIS should not be run with local or domain level administrative privileges on any site.\u201d<\/p>\n

Additionally, the investigation found some deployments as having \u201cinappropriate\u201d attachment directory configurations. Trimble recommended limiting the attachments directory root configuration to folders and subfolders that contain only attachments.<\/p>\n

Customers looking to update IIS identity permissions can do so by referring to the notes on Cityworks Support Portals<\/a>. CWOL customers, Trimble clarified, have already received permission corrections and need not do anything.<\/p>\n

<\/a>IOCs reveal CobaltStrike beacon was used for RCE<\/h2>\n

The advisory included a list of indicators of compromise (IOCs), detailing various tools used by the threat actors for remote intrusion. Among them were WinPutty and CobaltStrike<\/a> trojans<\/a>, along with GoLang-based executables designed to load VShell.<\/p>\n

Also shared were a couple of URLs attackers used for communication and control (C2) operations, established using CobaltStrike.<\/p>\n

Microsoft Internet Information Services (IIS) web servers are a popular target for threat actors due to their potential for system takeover. Attackers exploit them to gain persistence, escalate privileges, establish command-and-control (C2) channels, and distribute malware. Last week, Microsoft warned that threat<\/a> actors are targeting these servers in ViewState code injection attacks using publicly disclosed ASP.NET machine keys in an unrelated campaign.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Hackers are exploiting a high-severity remote code execution (RCE) flaw in Cityworks deployments \u2014 a GIS-centric asset and work order management software \u2014 \u00a0to execute codes on a customers\u2019 Microsoft web servers. In a coordinated advisory with the US Cybersecurity and Infrastructure Security Agency (CISA), Cityworks\u2019 developer Trimble said that the vulnerability, tracked as CVE-2025-0994 […]<\/p>\n","protected":false},"author":0,"featured_media":1853,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1854","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1854"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1854"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1854\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1853"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1854"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1854"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}