CVE-2025-0994

HIGH KEV

Trimble Cityworks < 15.8.9 - Insecure Deserialization

Title source: rule

Description

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.

Exploits (1)

nomisec SCANNER 4 stars

by rxerium · poc

https://github.com/rxerium/CVE-2025-0994

View Code ZIP pw:eip

References (3)

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04

[Vendor Advisory] https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?

Scores

CVSS v3 8.8

EPSS 0.7486

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2025-02-07

VulnCheck KEV 2025-02-06

ENISA EUVD EUVD-2025-1955

CWE

CWE-502

Status published

Products (1)

trimble/cityworks < 15.8.9

Published Feb 06, 2025

KEV Added Feb 07, 2025

Tracked Since Feb 18, 2026