A critical security vulnerability in Trimble’s Cityworks software is being actively exploited by cybercriminals to compromise IIS servers. The flaw, identified as CVE-2025-0994, carries a high severity rating of 8.6 and affects the GIS-centric asset management system widely used by local governments and utilities.

The vulnerability allows authenticated users to execute remote commands on Microsoft IIS servers and deploy malicious tools, including Cobalt Strike beacons. Affected versions include Cityworks prior to 15.8.9 and Cityworks with office companion versions before 23.10.

Key Security Measures:
– Immediate installation of security updates released on January 28-29, 2025
– Cloud-hosted instances (CWOL) will receive automatic updates
– On-premise deployments require manual patching
– Review and correction of IIS identity permissions
– Proper configuration of attachment directories

CISA has issued an advisory urging immediate action to secure affected systems. Trimble’s investigation revealed that attackers are utilizing various remote access tools, including WinPutty and Cobalt Strike beacons, to breach networks.

The company emphasizes that IIS servers should not run with administrative privileges, and attachment root folders should be strictly limited to contain only necessary files. Organizations using Cityworks should implement these security measures promptly to protect their infrastructure from potential attacks.