CVE-2025-0994

HIGH CISA KEV EPSS 97.8%

Published Feb 6, 20251y ago · Modified Jun 17, 20261w ago

8.6 CVSS 4.0

High

Find Similar

Published Feb 6, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

KEV Listed Feb 7, 2025 1y ago

KEV Due Feb 28, 2025 487d overdue

Description

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.

CVSS Details

Base Score

8.6

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope X

Threat Intelligence

CISA Known Exploited Overdue 487d

Added: Feb 7, 2025
Due: Feb 28, 2025

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability

97.8% percentile

Exploit & Patch Status

Actively Exploited (KEV)

No Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 2

Vendor	Product	Version	Range
trimble	cityworks	*	<15.8.9
trimble	cityworks	*	≥23.0 – <23.10

References 3

learn.assetlifecycle.trimble.com https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?

Vendor Advisory
cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994

US Government Resource
cisa.gov https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04

Third Party AdvisoryUS Government Resource

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.