Trimble Cityworks: CVE-2025-0994
What is CVE-2025-0994?
CVE-2025-0994 is a high-severity deserialization vulnerability in Trimble Cityworks, an asset management and work order software designed for local governments and utilities. The critical infrastructure sectors Cityworks services include water and wastewater systems, energy, transportation systems, government services and facilities, and communications.
The vulnerability affects Cityworks versions before 15.8.9 and Cityworks with Office Companion versions before 23.10.
Successfully exploiting CVE-2025-0994 can allow authenticated attackers to conduct remote code execution (RCE) against a target’s Microsoft Internet Information Services (IIS) web server.
Figure 1: Login page on an exposed Cityworks instance (Source: Recorded Future)
Insikt Group’s Assessment of CVE-2025-0994
Indicators of compromise (IoCs) shared by Trimble suggest that the vulnerability is being exploited to deliver custom Rust-based loaders capable of loading VShell and Cobalt Strike into memory. Additionally, the threat actors delivered an obfuscated JavaScript payload located in the “%TEMP%” folder, two unknown files, three malicious executables with randomized, alphanumeric filenames (for example, “fq1u4t83[.]exe”), and two files masquerading as legitimate services (“winpty.dll” and “winpty-agent[.]exe”).
The malicious files were likely downloaded into the victim's environment from threat actor-controlled Cobalt Strike C2 servers.
Based on the IoCs shared by Trimble, the threat actors used 192.210.239[.]172:3219 and 192.210.239[.]172:4219 as staging infrastructure. Insikt Group has validated this IP address as a C2 server for Cobalt Strike.
There is insufficient evidence to definitively confirm which files were transferred from the threat actor’s infrastructure; however, the obfuscated alphanumeric-named executables stored in the “\Temp” folder or the JavaScript payload are two possibilities.
At the time of writing, there were 111 exposed Cityworks instances on Shodan, 21% of which are vulnerable based on identified version numbers. The majority of exposed instances are also geolocated in the US and include multiple .gov domains.
Figure 2: Nearly 95% of exposed Cityworks instances on Shodan are geolocated in the US (Sources: Shodan, Recorded Future)
Trimble shared the following list of IoCs related to their observed exploitation of CVE-2025-0994:
| IoC | Type | Description |
| 4b7561e27c87a1895446d7f2b83e2d9fcf71e6d6e8bc99d44818dc39a6ff99d5 | SHA-256 | Obfuscated JavaScript payload |
| 4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9 | SHA-256 | VShell loader |
| 8a6c735f3608719ec9f46d9c6c5fc196db8c97065957c218b98733a491edd899 | SHA-256 | Unknown |
| 883d849b94238c26c57c0595ccb95b8c356628887b9a3628bf56e726332af925 | SHA-256 | Cobalt Strike loader |
| 151a71c43e63db802d41d5d715aa98eb1b236e0a6441076a8d30fd93990416b4 | SHA-256 | Unknown |
| 1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b | SHA-256 | Cobalt Strike loader |
| 14a072113baa0a1e1e2b6044068c7bc972ae5e541a0aec06577b0d6663140079 | SHA-256 | Unknown malicious file fq1u4t83[.]exe |
| 04dc3a16e1e2b4924943805a1cea5e402c4f2304c717ea21fdf43274b8c34a84 | SHA-256 | Unknown malicious file q0pe6x96[.]exe |
| f09b51b759dfe7de06fa724bd89592f5b8eae57053d5fb4891e40f24055103fb | SHA-256 | Unknown malicious file szm9wz8m[.]exe |
| C:\windows\temp\z1[.]exe | File path | Malicious binary download path |
| C:\windows\temp\z2[.]exe | File path | Malicious binary download path |
| C:\windows\temp\z44[.]exe | File path | Malicious binary download path |
| C:\windows\temp\z55[.]exe | File path | Malicious binary download path |
| C:\Windows\Temp\UDGEZR[.]exe | File path | Malicious binary download path |
| C:\Windows\Temp\z55.exe_winpty\winpty-agent[.]exe | File path | PUTTY binary download path |
| C:\Windows\Temp\z55.exe_winpty\winpty[.]dll | File path | PUTTY binary download path |
| 192.210.239[.]172:3219 | IPv4:port | Staging IP address |
| 192.210.239[.]172:4219 | IPv4:port | Staging IP address |
| 23.247.136[.]238 | IPv4 | Threat actor-controlled IP address |
| 31.59.70[.]13 | IPv4 | Threat actor-controlled IP address |
| 31.59.70[.]11 | IPv4 | Threat actor-controlled IP address |
| 149.112.117[.]49 | IPv4 | Threat actor-controlled IP address |
| 192.210.137[.]81 | IPv4 | Threat actor-controlled IP address |
| 192.210.183[.]118 | IPv4 | Threat actor-controlled IP address |
| cdn.phototagx[.]com | Domain | Threat actor-controlled callback domain |
| ifode[.]xyz | Domain | Threat actor-controlled domain |
| https[:]//cdn.lgaircon[.]xyz[:]443/jquery-3.3.1.min.js | URI | Cobalt Strike C2 |
| https[:]//192.210.239[.]172/messages/73KWf-o0-s0hxVCDJp1sfAHRcgdm7 | URI | Cobalt Strike C2 |
Table 1: IoCs shared by Trimble related to their observed exploitation of CVE-2025-0994 (Source: Trimble)
Recommended Actions
Organizations should upgrade to Cityworks version 15.8.9 or later, and Cityworks with Office Companion version 23.10 or later. CISA has included this CVE in their Known Exploited Vulnerabilities Catalog, recommending immediate mitigation actions or discontinuation of the product if mitigations are unavailable. Given its active exploitation and high severity rating, organizations should prioritize patching this vulnerability to safeguard your company's assets from potential attacks.
Figure 3: Vulnerability Intelligence Card for CVE-2025-0994 in Recorded Future (Source: Recorded Future)
How Recorded Future Can Help:
- Insikt Group - Download the attached YAML file in this blog post to access a Nuclei template created by Insikt Group for CVE-2025-0994 that enables defenders to test potentially vulnerable Trimble Cityworks instances prior to the patched version.
- Attack Surface Intelligence - Identify internet-facing assets vulnerable to CVE-2025-0994.
- Vulnerability Intelligence - Gain helpful context on CVE-2025-0994. to aid in patching and prioritization discussions.
Figure 4: Signature for CVE-2025-0994 in Recorded Future Attack Surface Intelligence® (Source: Recorded Future)
About Insikt Group:
Recorded Future’s Insikt Group threat research team is comprised of analysts, linguists, and security researchers with deep government and industry experience.
Insikt Group publishes threat intelligence to the Recorded Future analyst community in blog posts and analyst notes.
Related News & Research