Critical Cybersecurity Alert: New Vulnerability CVE-2025-0994 Identified in Trimble Cityworks

CISA Flags Critical Vulnerability in Trimble Cityworks, Urges Immediate Action

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical vulnerability, identified as CVE-2025-0994, to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability predominantly impacts Trimble Cityworks, a popular software utilized for asset management and geographic information system (GIS) applications. The flaw, known as the Trimble Cityworks Deserialization vulnerability, poses significant cybersecurity threats, especially to federal enterprises, as it enables attackers to execute remote code on compromised systems.

CVE-2025-0994 affects Trimble Cityworks versions prior to 15.8.9 and Cityworks with Office Companion versions earlier than 23.10. It allows authenticated users to potentially exploit the software, leading to serious security breaches. If the vulnerability is successfully exploited, attackers could gain control over a person’s Microsoft Internet Information Services (IIS) web server, risking the confidentiality, integrity, and availability of critical infrastructure data.

With a CVSS score of 8.6, CISA has ranked the severity of this vulnerability as High, highlighting the pressing need for organizations to address the issue. Trimble responded timely by releasing patches for both Cityworks 15.x and 23.x software versions on January 28 and 29, 2025. The updates, crucial for safeguarding against remote code execution attacks, were communicated urgently to customers, stressing the need for immediate action.

CISA’s inclusion of CVE-2025-0994 in its catalog underscores the escalating urgency to remedy such vulnerabilities within critical infrastructures. Organizations reliant on Trimble Cityworks are strongly advised to implement the necessary updates without delay, as remediating vulnerabilities like CVE-2025-0994 is vital to safeguard sensitive systems from potential attacks.