CVE-2025-0994

HIGH KEV

Trimble Cityworks < 15.8.9 - Authenticated Remote Code Execution via Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-0994 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 7, 2025. EIP tracks 1 public exploit from researchers including rxerium.

AI-analyzed exploit summary This repository provides a Nuclei template for detecting CVE-2025-0994 by checking the version in the HTML body of the target software. It does not include an exploit but helps identify vulnerable instances.

Description

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.

Exploits (1)

nomisec SCANNER 4 stars
by rxerium · poc
https://github.com/rxerium/CVE-2025-0994

This repository provides a Nuclei template for detecting CVE-2025-0994 by checking the version in the HTML body of the target software. It does not include an exploit but helps identify vulnerable instances.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cityworks (versions before 15.8.9)
No auth needed
Prerequisites: Access to the target web application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.7486
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-02-07
VulnCheck KEV 2025-02-06
ENISA EUVD EUVD-2025-1955
CWE
CWE-502
Status published
Products (1)
trimble/cityworks < 15.8.9
Published Feb 06, 2025
KEV Added Feb 07, 2025
Tracked Since Feb 18, 2026