← back
CVE-2025-0994

CVE-2025-0994

CVSS 8.6 HIGHEPSS 27.4%● KEVCWE-502
In short

Trimble Cityworks allows authenticated users to execute malicious code on the web server through a deserialization flaw. This means attackers with valid login credentials can take control of the server and run arbitrary commands.

Technical detail

CWE-502 unsafe deserialization vulnerability in Trimble Cityworks (<15.8.9) and Office Companion (<23.10) enables authenticated remote code execution on IIS servers. The attack requires valid user credentials and exploits improper handling of serialized objects to achieve arbitrary code execution with server privileges.

Summary generated and translated by AI from the official description.
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Trimble · CityworksTrimble · Cityworks (with office companion)
public PoCs found1
githubgithub.com/rxerium/CVE-2025-09944
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04