CVE-2025-0994 is a deserialization vulnerability classified under CWE-502 found in Trimble Cityworks software versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10. The vulnerability arises from improper handling of untrusted serialized data, which an authenticated user can exploit to perform remote code execution (RCE) on the Microsoft Internet Information Services (IIS) web server hosting the application. Deserialization vulnerabilities occur when an application deserializes data from untrusted sources without sufficient validation, enabling attackers to inject malicious payloads that execute arbitrary code. In this case, the attacker must have valid authentication credentials but does not require additional user interaction. The vulnerability has a CVSS 4.0 score of 8.6, reflecting its high impact on confidentiality, integrity, and availability, as well as its relatively low attack complexity and no requirement for user interaction. Although no active exploits have been reported yet, the vulnerability poses a significant risk due to the critical nature of RCE on IIS servers, which are commonly used in enterprise environments. Trimble Cityworks is widely used in municipal asset and infrastructure management, making this vulnerability particularly relevant to organizations managing public utilities and infrastructure. The lack of available patches at the time of reporting necessitates immediate risk mitigation and monitoring.

The impact of CVE-2025-0994 on European organizations can be severe, especially those relying on Trimble Cityworks for infrastructure, asset management, and municipal services. Successful exploitation could lead to full remote code execution on IIS servers, allowing attackers to execute arbitrary commands, install malware, steal sensitive data, or disrupt critical services. This could compromise the confidentiality, integrity, and availability of municipal IT systems, potentially affecting public services such as water, waste management, and transportation. Given the critical role of these systems, an attack could result in operational downtime, financial losses, reputational damage, and regulatory penalties under GDPR if personal data is exposed. The requirement for authenticated access somewhat limits the attack surface but does not eliminate risk, especially if credential theft or insider threats are considered. European organizations with exposed or poorly segmented IIS servers hosting Cityworks are particularly vulnerable. The absence of known exploits currently provides a window for proactive defense but also means attackers may develop exploits soon after patch release.

1. Apply official patches from Trimble immediately once they become available for Cityworks versions prior to 15.8.9 and office companion versions prior to 23.10. 2. Restrict and monitor user authentication privileges rigorously, ensuring that only trusted users have access to Cityworks applications. 3. Implement network segmentation to isolate IIS servers hosting Cityworks from broader enterprise networks, limiting lateral movement in case of compromise. 4. Enable detailed logging and real-time monitoring on IIS servers and Cityworks applications to detect unusual activities indicative of exploitation attempts. 5. Use application whitelisting and endpoint protection solutions on IIS servers to prevent unauthorized code execution. 6. Conduct regular credential audits and enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of credential compromise. 7. Review and harden IIS server configurations, disabling unnecessary features and services to reduce the attack surface. 8. Prepare incident response plans specific to web server compromises involving Cityworks to enable rapid containment and recovery.