A critical vulnerability (CVE-2025-0994) has been discovered in Trimble's Cityworks asset management platform, exposing systems to remote code execution (RCE) attacks through insecure deserialization in IIS-hosted applications. This flaw could allow unauthenticated attackers to execute arbitrary code on affected servers with SYSTEM-level privileges.

Understanding CVE-2025-0994

The vulnerability stems from improper input validation during the deserialization of untrusted data in Cityworks' .NET web services. When exploited, this flaw enables attackers to:

  • Bypass authentication mechanisms
  • Execute malicious payloads with elevated privileges
  • Gain complete control over affected systems
  • Potentially pivot to other network resources

Affected Versions

Trimble has confirmed the vulnerability impacts:

  • Cityworks 2023.1 through 2024.3
  • All service packs and hotfixes prior to 2024.3.1
  • Both on-premises and cloud-hosted deployments

Technical Analysis

The exploit chain involves:

  1. Sending specially crafted serialized objects to vulnerable endpoints
  2. Triggering improper deserialization in the .NET runtime
  3. Executing attacker-controlled code via carefully constructed gadget chains

Security researchers note the vulnerability is particularly dangerous because:

  • No authentication is required for exploitation
  • The attack can be delivered through normal HTTP requests
  • Existing network protections may not detect the malicious payloads

Mitigation and Patching

Trimble has released Cityworks 2024.3.1 to address this vulnerability. Organizations should:

  1. Immediately apply the 2024.3.1 update
  2. If immediate patching isn't possible:
    - Restrict access to Cityworks servers
    - Implement WAF rules to block suspicious serialized objects
    - Monitor for unusual process creation events

Detection Indicators

Security teams should watch for:

  • Unusual network traffic to Cityworks AMS/PLL endpoints
  • Unexpected child processes spawned by w3wp.exe
  • Modifications to web.config or other critical files
  • New scheduled tasks or services related to Cityworks

Best Practices for Prevention

Beyond immediate patching, organizations should:

  • Implement principle of least privilege for service accounts
  • Enable enhanced logging for deserialization events
  • Consider virtual patching solutions
  • Conduct regular security audits of custom integrations

Timeline and Disclosure

The vulnerability was:

  • Discovered: March 2025 by independent researchers
  • Reported to Trimble: April 1, 2025
  • Patch released: April 15, 2025
  • Public disclosure: April 22, 2025

Trimble has credited the researchers through their security acknowledgment program.

Long-term Security Considerations

This incident highlights several important security lessons:

  1. The continued risks of .NET deserialization vulnerabilities
  2. The importance of secure coding practices for municipal software
  3. The need for robust patch management in operational technology systems

Organizations using Cityworks should review their entire asset management security posture, not just apply this single patch.