Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers www.bleepingcomputer.com/news/secu…

Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.

Trimble Cityworks is a Geographic Information System (GIS)-centric asset management and work order management software designed primarily for local governments, utilities, and public works organizations.

The flaw, tracked as CVE-2025-0994, is a high severity (CVSS v4.0 score: 8.6) deserialization problem that allows authenticated users to perform RCE attacks against a customer’s Microsoft Internet Information Services (IIS) servers.

The latest versions, 15.8.9 and 23.10, were made available on January 28 and 29, 2025, respectively.

Administrators managing on-premise deployments must apply the security update as soon as possible, while cloud-hosted instances (CWOL) will receive the updates automatically.