CyberSecurity news

FlagThis

@www.bleepingcomputer.com - 19d

Active Exploitation of Cityworks RCE Vulnerability

Attackers are actively exploiting a deserialization vulnerability, identified as CVE-2025-0994, in Trimble’s Cityworks Server AMS. This flaw allows for remote code execution on Microsoft IIS web servers. The exploitation involves hackers deploying Cobalt Strike beacons for initial network access after gaining the ability to remotely execute commands. Cityworks is primarily used by local governments, utilities, and public works organizations for asset and work order management.

CISA has added the Cityworks vulnerability to its Known Exploited Vulnerabilities catalog, urging organizations to apply necessary updates and search for indicators of compromise. Furthermore, Microsoft has warned of code injection attacks using publicly disclosed ASP.NET machine keys, which can lead to the delivery of the Godzilla post-exploitation framework. It is advised to not copy keys from publicly available resources, as this poses a higher risk than stolen keys because they are available in multiple code repositories.
Original img attribution: https://www.bleepstatic.com/content/hl-images/2025/02/07/city-lights.jpg
ImgSrc: www.bleepstatic

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • : CISA puts out a standalone security alert about Trimble Cityworks Server Asset Management System (AMS).
  • securityaffairs.com: U.S. CISA adds Trimble Cityworks flaw to its Known Exploited Vulnerabilities catalog
  • securityonline.info: CVE-2025-0994: Critical Vulnerability in Trimble Cityworks Exploited in the Wild
  • securityonline.info: CVE-2025-0994: Critical Vulnerability in Trimble Cityworks Exploited in the Wild
  • Anonymous ???????? :af:: Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • www.bleepingcomputer.com: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • BleepingComputer: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • bsky.app: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • Anonymous ???????? :af:: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • therecord.media: Hackers exploiting bug in popular Trimble Cityworks tool used by local gov’ts
Classification:
  • HashTags: #RCE #Cityworks #IISServer
  • Company: Microsoft, Trimble
  • Target: Trimble Cityworks, Microsoft IIS Servers
  • Product: Cityworks, IIS
  • Feature: Remote Code Execution
  • Malware: Godzilla
  • Type: Vulnerability
  • Severity: Critical