OTPulse
FeedAboutContact

Trimble Cityworks (Update A)

Act Now7.2ICS-CERT ICSA-25-037-04Feb 6, 2025
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

A remote code execution vulnerability in Trimble Cityworks allows an authenticated high-privilege user to execute arbitrary commands on the server. The vulnerability is in deserialization logic (CWE-502) and does not directly control industrial processes, but compromises the integrity of asset management and operational data for utilities. Exploitation requires valid administrative credentials but has been actively observed in the wild. Trimble has released patched versions 15.8.9 and 23.10, with additional mitigations recommended for IIS permission configuration and attachment directory restrictions on on-premise installations.

What this means
What could happen
An authenticated user with high privileges could execute arbitrary code on a Cityworks server, potentially allowing them to compromise the entire system managing municipal water, electric, or infrastructure operations data. This could lead to unauthorized changes to work orders, asset data, or operational records.
Who's at risk
Water utilities, electric utilities, and other municipal infrastructure operators using Trimble Cityworks for asset management and work order tracking. Specifically affects on-premise deployments of Cityworks versions below 15.8.9 and 23.x versions below 23.10. Cloud-based Cityworks Online (CWOL) customers are already patched automatically.
How it could be exploited
An attacker with administrative or highly privileged credentials (obtained through compromise or insider access) could send a malicious request to the Cityworks application to trigger remote code execution. The attacker gains the ability to run arbitrary commands with the privileges of the Cityworks application process.
Prerequisites
  • Valid high-privilege Cityworks user credentials (e.g., administrator account)
  • Network access to the Cityworks application (web interface or API)
  • If on-premise: Cityworks running on Windows IIS
  • If applicable: Access to attachment upload or file handling functionality
Actively exploited (KEV)High CVSS score (7.2)High EPSS probability (76%)Requires authentication but targets high-privilege usersRemote exploitation over networkCould enable lateral movement if credentials leaked
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Cityworks with office companion: <23.10<23.1015.8.9
Cityworks: <15.8.9<15.8.915.8.9
Remediation & Mitigation

Cityworks has released the following update guidance for users: Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025). Information on the updated versions will be available through the normal channels via the Cityworks Support Portal(Login required). On-premise customers should install the updated version immediately. These updates will be automatically applied to all Cityworks Online (CWOL) deployments. Trimble has observed that some on-premise deployments may have overprivileged Internet Information Services (IIS) identity permissions. For avoidance of doubt, and in accordance with Trimble's technical documentation, IIS should not be run with local or domain level administrative privileges on any site. Please refer to the direction in the latest release notes in the Cityworks Support Portal(Login required) for more information on how to update IIS identity permissions. Trimble's CWOL customers have their IIS identity permissions set appropriately and do not need to take this action. Trimble has observed that some deployments have inappropriate attachment directory configurations. Trimble recommends that attachment directory root configuration should be limited to folders/subfolders which only contain attachments. Please refer to the direction in the latest release notes in the Cityworks Support Portal(Login required) for more information on how to ensure proper configuration of the attachment directory. Cityworks software is incapable of controlling industrial processes, and is not directly part of an ICS.

View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/247e9bb0-9576-4c05-a19f-ceae038166ee