{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-0994", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-02-03T18:03:05.707Z", "datePublished": "2025-02-06T16:01:20.000Z", "dateUpdated": "2025-10-21T22:55:30.136Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Cityworks", "vendor": "Trimble", "versions": [{"lessThan": "15.8.9", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Cityworks (with office companion)", "vendor": "Trimble", "versions": [{"lessThan": "23.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Trimble"}], "datePublic": "2025-02-06T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer\u2019s Microsoft Internet Information Services (IIS) web server."}], "value": "Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer\u2019s Microsoft Internet Information Services (IIS) web server."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "CISA has received reports of this vulnerability being actively exploited.<br>"}], "value": "CISA has received reports of this vulnerability being actively exploited."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-02-06T16:55:26.352Z"}, "references": [{"tags": ["government-resource", "third-party-advisory"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04"}, {"tags": ["vendor-advisory"], "url": "https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025). Information on the updated versions will be available through the normal channels via the [Cityworks Support Portal](<a target=\"_blank\" rel=\"nofollow\" href=\"https://cityworks.my.site.com/)(Login\">https://cityworks.my.site.com/)(Login</a> required). On-premise customers should install the updated version immediately. These updates will be automatically applied to all Cityworks Online (CWOL) deployments.<br>"}], "value": "Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025). Information on the updated versions will be available through the normal channels via the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login required). On-premise customers should install the updated version immediately. These updates will be automatically applied to all Cityworks Online (CWOL) deployments."}], "source": {"discovery": "UNKNOWN"}, "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Trimble has observed that some on-premise deployments may have overprivileged Internet Information Services (IIS) identity permissions. For avoidance of doubt, and in accordance with Trimble's technical documentation, IIS should not be run with local or domain level administrative privileges on any site. Please refer to the direction in the latest release notes in the [Cityworks Support Portal](<a target=\"_blank\" rel=\"nofollow\" href=\"https://cityworks.my.site.com/)(Login\">https://cityworks.my.site.com/)(Login</a> required) for more information on how to update IIS identity permissions. Trimble's CWOL customers have their IIS identity permissions set appropriately and do not need to take this action.<br><br>Trimble has observed that some deployments have inappropriate attachment directory configurations. Trimble recommends that attachment directory root configuration should be limited to folders/subfolders which only contain attachments. Please refer to the direction in the latest release notes in the [Cityworks Support Portal](<a target=\"_blank\" rel=\"nofollow\" href=\"https://cityworks.my.site.com/)(Login\">https://cityworks.my.site.com/)(Login</a> required) for more information on how to ensure proper configuration of the attachment directory.<br>"}], "value": "Trimble has observed that some on-premise deployments may have overprivileged Internet Information Services (IIS) identity permissions. For avoidance of doubt, and in accordance with Trimble's technical documentation, IIS should not be run with local or domain level administrative privileges on any site. Please refer to the direction in the latest release notes in the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login required) for more information on how to update IIS identity permissions. Trimble's CWOL customers have their IIS identity permissions set appropriately and do not need to take this action.\n\nTrimble has observed that some deployments have inappropriate attachment directory configurations. Trimble recommends that attachment directory root configuration should be limited to folders/subfolders which only contain attachments. Please refer to the direction in the latest release notes in the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login required) for more information on how to ensure proper configuration of the attachment directory."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0994", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-15T19:53:25.658943Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2025-02-07", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994"}}}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994", "tags": ["government-resource"]}], "timeline": [{"time": "2025-02-07T00:00:00+00:00", "lang": "en", "value": "CVE-2025-0994 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T22:55:30.136Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0994", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-15T19:53:25.658943Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2025-02-07", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994"}}}], "timeline": [{"lang": "en", "time": "2025-02-07T00:00:00+00:00", "value": "CVE-2025-0994 added to CISA KEV"}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994", "tags": ["government-resource"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-06T16:21:54.713Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Trimble"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Trimble", "product": "Cityworks", "versions": [{"status": "affected", "version": "0", "lessThan": "15.8.9", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Trimble", "product": "Cityworks (with office companion)", "versions": [{"status": "affected", "version": "0", "lessThan": "23.10", "versionType": "custom"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "CISA has received reports of this vulnerability being actively exploited.", "supportingMedia": [{"type": "text/html", "value": "CISA has received reports of this vulnerability being actively exploited.<br>", "base64": false}]}], "solutions": [{"lang": "en", "value": "Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025). Information on the updated versions will be available through the normal channels via the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login required). On-premise customers should install the updated version immediately. These updates will be automatically applied to all Cityworks Online (CWOL) deployments.", "supportingMedia": [{"type": "text/html", "value": "Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025). Information on the updated versions will be available through the normal channels via the [Cityworks Support Portal](<a target=\"_blank\" rel=\"nofollow\" href=\"https://cityworks.my.site.com/)(Login\">https://cityworks.my.site.com/)(Login</a> required). On-premise customers should install the updated version immediately. These updates will be automatically applied to all Cityworks Online (CWOL) deployments.<br>", "base64": false}]}], "datePublic": "2025-02-06T16:00:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04", "tags": ["government-resource", "third-party-advisory"]}, {"url": "https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "en", "value": "Trimble has observed that some on-premise deployments may have overprivileged Internet Information Services (IIS) identity permissions. For avoidance of doubt, and in accordance with Trimble's technical documentation, IIS should not be run with local or domain level administrative privileges on any site. Please refer to the direction in the latest release notes in the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login required) for more information on how to update IIS identity permissions. Trimble's CWOL customers have their IIS identity permissions set appropriately and do not need to take this action.\n\nTrimble has observed that some deployments have inappropriate attachment directory configurations. Trimble recommends that attachment directory root configuration should be limited to folders/subfolders which only contain attachments. Please refer to the direction in the latest release notes in the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login required) for more information on how to ensure proper configuration of the attachment directory.", "supportingMedia": [{"type": "text/html", "value": "Trimble has observed that some on-premise deployments may have overprivileged Internet Information Services (IIS) identity permissions. For avoidance of doubt, and in accordance with Trimble's technical documentation, IIS should not be run with local or domain level administrative privileges on any site. Please refer to the direction in the latest release notes in the [Cityworks Support Portal](<a target=\"_blank\" rel=\"nofollow\" href=\"https://cityworks.my.site.com/)(Login\">https://cityworks.my.site.com/)(Login</a> required) for more information on how to update IIS identity permissions. Trimble's CWOL customers have their IIS identity permissions set appropriately and do not need to take this action.<br><br>Trimble has observed that some deployments have inappropriate attachment directory configurations. Trimble recommends that attachment directory root configuration should be limited to folders/subfolders which only contain attachments. Please refer to the direction in the latest release notes in the [Cityworks Support Portal](<a target=\"_blank\" rel=\"nofollow\" href=\"https://cityworks.my.site.com/)(Login\">https://cityworks.my.site.com/)(Login</a> required) for more information on how to ensure proper configuration of the attachment directory.<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer\u2019s Microsoft Internet Information Services (IIS) web server.", "supportingMedia": [{"type": "text/html", "value": "Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer\u2019s Microsoft Internet Information Services (IIS) web server.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-02-06T16:55:26.352Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0994", "state": "PUBLISHED", "dateUpdated": "2025-10-21T22:55:30.136Z", "dateReserved": "2025-02-03T18:03:05.707Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-02-06T16:01:20.000Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cisaActionDue": "2025-02-28", "cisaExploitAdd": "2025-02-07", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Trimble Cityworks Deserialization Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trimble:cityworks:*:*:*:*:*:*:*:*", "matchCriteriaId": "97280FE5-5F66-4B2B-88B0-6F6E671FF90A", "versionEndExcluding": "15.8.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:trimble:cityworks:*:*:*:*:*:*:*:*", "matchCriteriaId": "E611E790-43D6-457E-8C82-E5CB157F14E3", "versionEndExcluding": "23.10", "versionStartIncluding": "23.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer\u2019s Microsoft Internet Information Services (IIS) web server."}, {"lang": "es", "value": "Las versiones de Trimble CityWorks antes de 15.8.9 y Cityworks con versiones complementarias de la oficina antes de 23.10 son vulnerables a una vulnerabilidad de deserializaci\u00f3n. Esto podr\u00eda permitir que un usuario autenticado realice un ataque de ejecuci\u00f3n de c\u00f3digo remoto contra el servidor web de Informaci\u00f3n de Internet de Microsoft de Microsoft (IIS) de un cliente."}], "id": "CVE-2025-0994", "lastModified": "2025-10-21T23:16:45.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2025-02-06T16:15:41.493", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}

{}