CVE-2025-0994 is a high-severity vulnerability classified under CWE-502, which pertains to the deserialization of untrusted data. This vulnerability affects Trimble Cityworks software versions prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10. The flaw allows an authenticated user to exploit unsafe deserialization processes within the application, leading to the possibility of remote code execution (RCE) on the underlying Microsoft Internet Information Services (IIS) web server hosting the application. Deserialization vulnerabilities occur when untrusted input is deserialized without sufficient validation or sanitization, enabling attackers to craft malicious serialized objects that execute arbitrary code upon deserialization. In this case, the attacker must have valid authentication credentials to the Cityworks application, which reduces the attack surface but still poses a significant risk given the potential for full system compromise. The CVSS 4.0 base score of 8.6 reflects a high impact due to the network attack vector, low attack complexity, no user interaction required, and high impacts on confidentiality, integrity, and availability. The vulnerability does not require user interaction but does require privileges (authenticated user), and it affects the IIS web server environment, which is commonly used in enterprise settings. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and could be targeted by threat actors, especially in environments where Cityworks is deployed for critical infrastructure or municipal services management.

For European organizations, the impact of CVE-2025-0994 can be substantial, particularly for municipalities, utilities, and public sector entities that rely on Trimble Cityworks for asset management and infrastructure maintenance. Successful exploitation could lead to unauthorized remote code execution on IIS servers, enabling attackers to manipulate or disrupt critical services, exfiltrate sensitive data, or pivot within the network to compromise additional systems. Given Cityworks' role in managing public works and infrastructure, such an attack could degrade service availability, impact public safety, and cause reputational damage. The requirement for authentication limits exploitation to insiders or attackers who have obtained valid credentials, but insider threats or credential theft remain realistic risks. The vulnerability's high impact on confidentiality, integrity, and availability means that exploitation could result in data breaches, unauthorized changes to infrastructure data, and denial of service conditions. European organizations with regulatory obligations under GDPR and other data protection laws must consider the compliance implications of such a breach, including potential fines and mandatory breach notifications.

To mitigate this vulnerability, European organizations should prioritize upgrading Trimble Cityworks to version 15.8.9 or later, or Cityworks with Office Companion to version 23.10 or later, as these versions contain the necessary security patches. Until patches are applied, organizations should implement strict access controls to limit authenticated user privileges to the minimum necessary, employing the principle of least privilege. Multi-factor authentication (MFA) should be enforced to reduce the risk of credential compromise. Network segmentation should isolate IIS servers hosting Cityworks from less trusted network zones to limit lateral movement in case of exploitation. Monitoring and logging of authentication events and IIS server activity should be enhanced to detect suspicious behavior indicative of exploitation attempts. Additionally, organizations should review and harden IIS configurations, disable unnecessary features, and ensure that all related software and dependencies are up to date. Incident response plans should be updated to include scenarios involving deserialization vulnerabilities and remote code execution attacks on critical infrastructure management systems.