A critical vulnerability (CVE-2025-0994) has been discovered in Trimble Cityworks, exposing municipal and utility systems to potential remote code execution attacks. This deserialization flaw in the Windows-based asset management platform could allow attackers to take full control of unpatched systems through specially crafted HTTP requests.

Understanding CVE-2025-0994

The vulnerability resides in how Trimble Cityworks handles serialized data through its IIS web interface. Security researchers at CyberRisk Analytics discovered that improper validation of user-supplied data during deserialization could lead to:

  • Remote code execution with SYSTEM privileges
  • Complete compromise of the Cityworks server
  • Lateral movement across connected municipal networks
  • Potential disruption of critical infrastructure services

Technical Breakdown

The flaw exists in the .NET deserialization process when Cityworks processes certain API requests. Attackers can exploit this by sending malicious serialized objects that execute arbitrary code during deserialization. Key technical details include:

  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Network
  • Complexity: Low
  • Authentication: Not required
  • Affected Versions: Cityworks 15.9 through 21.3
  • Default Ports: 80/443 (HTTP/HTTPS)

Impact on Windows Environments

Since Cityworks typically runs on Windows Server with IIS, the vulnerability poses particular risks to:

  • Municipal governments using Cityworks for asset management
  • Utility companies managing critical infrastructure
  • Organizations with integrated Cityworks/SAP systems

Successful exploitation could lead to:

  1. Complete system compromise
  2. Theft of sensitive citizen data
  3. Disruption of public services
  4. Ransomware deployment

Mitigation Strategies

Trimble has released security patches addressing CVE-2025-0994. Organizations should:

  • Immediately apply the latest Cityworks patches
  • Restrict network access to Cityworks servers
  • Implement web application firewalls with deserialization protection
  • Monitor for unusual IIS worker process activity
  • Consider temporarily disabling certain API endpoints if patching isn't immediately possible

Detection and Response

Security teams should look for these indicators of compromise:

  • Unusual process creation from w3wp.exe
  • Unexpected network connections from IIS servers
  • Abnormal serialized objects in web logs
  • New scheduled tasks or services created via web requests

Microsoft Defender for Endpoint and Azure Sentinel have updated detection rules for this vulnerability.

Long-Term Security Considerations

This incident highlights broader security challenges:

  • The risks of .NET deserialization in enterprise applications
  • The importance of regular security audits for municipal software
  • The need for defense-in-depth strategies for critical infrastructure

Organizations should review their entire software stack for similar deserialization vulnerabilities, particularly in:

  • Custom .NET applications
  • Third-party IIS modules
  • Legacy municipal software systems

Timeline and Vendor Response

  • Discovery Date: March 15, 2025
  • Vendor Notification: March 18, 2025
  • Patch Release: April 2, 2025
  • Public Disclosure: April 10, 2025

Trimble has provided detailed patching instructions and workarounds in their security advisory (T-SA-2025-004).

  1. Emergency - Patch all Cityworks servers immediately
  2. High Priority - Isolate Cityworks systems from sensitive networks
  3. Medium Priority - Conduct forensic analysis for potential breaches
  4. Ongoing - Implement regular vulnerability scanning for municipal software

This vulnerability serves as a stark reminder that critical infrastructure software requires rigorous security oversight, particularly when running on widely deployed platforms like Windows Server and IIS.