CVE-2025-0994 is a deserialization vulnerability classified under CWE-502 affecting Trimble Cityworks software prior to version 15.8.9 and Cityworks with office companion prior to 23.10. The vulnerability arises from the unsafe deserialization of untrusted data, which can be manipulated by an authenticated attacker to execute arbitrary code remotely on the Microsoft Internet Information Services (IIS) web server hosting the application. Deserialization vulnerabilities occur when applications deserialize data without sufficient validation, allowing attackers to craft malicious serialized objects that trigger unintended behavior, including remote code execution (RCE). This vulnerability requires the attacker to have valid authentication credentials, but does not require additional user interaction. The CVSS v4.0 base score is 8.6, indicating a high severity level due to the network attack vector, low attack complexity, and the potential for complete compromise of confidentiality, integrity, and availability of the affected system. No public exploits or active exploitation have been reported yet, but the vulnerability poses a significant risk given the critical nature of RCE on IIS servers. The lack of available patches at the time of this report necessitates immediate mitigation efforts by affected organizations.

Successful exploitation of CVE-2025-0994 can lead to remote code execution on IIS servers running vulnerable versions of Trimble Cityworks, potentially allowing attackers to fully compromise the server. This could result in unauthorized access to sensitive data, disruption of municipal or infrastructure management services, and lateral movement within organizational networks. Given Cityworks' role in asset and work management for local governments and utilities, exploitation could impact critical infrastructure operations, causing service outages or data integrity issues. The requirement for authentication limits exposure to some extent, but insider threats or compromised credentials could enable exploitation. The vulnerability affects confidentiality, integrity, and availability, making it a critical risk for organizations relying on Cityworks for operational technology and administrative functions.

Organizations should immediately identify and inventory all instances of Trimble Cityworks and Cityworks with office companion to determine exposure. Since no patches are currently available, apply the following mitigations: restrict access to Cityworks IIS servers to trusted internal networks and VPNs only; enforce strong authentication and credential management policies to reduce risk of credential compromise; implement network segmentation to isolate Cityworks servers from broader enterprise networks; monitor IIS logs and application logs for suspicious deserialization or unusual activity; apply application-layer firewalls or web application firewalls (WAFs) with custom rules to detect and block malicious serialized payloads; consider disabling or restricting deserialization features if configurable; and prepare for rapid patch deployment once vendor updates are released. Regularly update incident response plans to address potential exploitation scenarios involving this vulnerability.