Vulnerability in Cityworks leads to Microsoft IIS attacks

Trimble, a software vendor for the construction industry and others, is warning of a critical vulnerability in its own Cityworks software that enables attacks on Microsoft Internet Information Services (IIS) servers. A patch is now available.

According to Trimble, the vulnerability concerns the GIS asset and work order management software Cityworks. This software is primarily used by local governments, utilities, and public infrastructure managers.

Attack path for RCE attacks

The recently discovered vulnerability, CVE-2025-0994, causes a so-called “deserialization” problem. This enables authenticated users to launch RCE attacks on Microsoft IIS servers.

This allows cybercriminals to spread other malware within a network. Analyzing abuse indicators, Trimble’s security specialists discovered that hackers installed remote access tools such as WinPutty and Cobalt Strike beacons, among others.

The vulnerability affects all versions of Trimble Cityworks before version 15.8.9. Cityworks with “office companion” versions older than 23.10 are also vulnerable. The latest versions 15.8.9 and 23.10 were released in late January of this year.

Resolve in three steps

Trimble advises administrators to address the problem in three steps:

Install security update: Administrators of on-premises installations should install the latest security update as soon as possible. Cloud-based instances are updated automatically.
Manage IIS identity rights: For on-premises installations, administrators should check that IIS identity permissions are not over-privileged. These should not run with local or domain administrative rights.
Configure attachment directory correctly: Administrators should verify that the attachment directory configuration is correct. Trimble recommends limiting attachment root folders to attachments only.

After completing these three steps, Trimble Cityworks can be safely used again.

Multiple attacks on IIS servers

This vulnerability is not the only recent threat to Microsoft IIS servers. Last week, it was revealed that hackers are increasingly attacking IIS servers via ViewState code injection. They do this using publicly available ASP.NET machine keys found online.

Also read: Vulnerability in ChatGPT API potentially leads to DDoS attacks

Whitepapers

Vulnerability in Cityworks leads to Microsoft IIS attacks

Attack path for RCE attacks

Resolve in three steps

Multiple attacks on IIS servers

Stay tuned, subscribe!

ServiceNow makes Now platform AI-driven and adds thousands of AI agents

Oracle introduces AI Agent Studio for Fusion Cloud Applications

EU launches action plan for cybersecurity in healthcare

Tech scene innovates for unprepared healthcare sector

Orange Cyberdefense turns security into a business enabler

AI-powered scanner detects skin cancer at lightning speeds

GovKube 25

IT Master in één Dag

Atlassian Team ’25

VeeamON 2025

GITEX ASIA

SAS Innovate 2025

AI & Data Architect

Senior Account Solution Architect

Cloud Account Executive – Slack

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices

Are you data and AI ready?

Technology 2023: Four areas of focus