Trimble Cityworks (Update A)

Act NowCVSS 7.2ICS-CERT ICSA-25-037-04Feb 6, 2025

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Trimble Cityworks contains a remote code execution vulnerability (CWE-502) affecting versions prior to 15.8.9 and 23.10. An authenticated user with administrative privileges can exploit this to execute arbitrary code on the Cityworks server. The vulnerability is actively being exploited in the wild. Trimble has released patch versions 15.8.9 (January 28, 2025) and 23.10 (January 29, 2025). Additionally, some on-premise deployments have been identified running IIS with local or domain administrative privileges, which increases the severity of successful exploitation. Attachment directory configurations may also be misconfigured in some deployments.

What this means

What could happen

An authenticated attacker with administrative privileges could execute arbitrary code on Cityworks servers, potentially compromising utility management data, disabling water or electric service billing and administrative systems, or pivoting into connected OT networks.

Who's at risk

Water and electric utilities, municipalities, and other government agencies using Trimble Cityworks for asset management, work order management, and billing administration. Also affects any organization using Cityworks with office companion for integrated utility management operations.

How it could be exploited

An attacker with administrative credentials (such as a compromised utility staff account or insider) can send a specially crafted request to a Cityworks server to execute remote code. Once code execution is achieved, the attacker can run commands as the IIS application identity—which in some misconfigured deployments runs with administrative privileges, granting full system control.

Prerequisites

Administrative credentials on Cityworks system (valid utility staff account or service account)
Network access to Cityworks server on port 443 (HTTPS)
IIS application identity configured with local or domain administrative privileges (required only if attacker intends to escape application sandbox; standard non-admin config provides some containment)

actively exploited (KEV)requires administrative credentials but attackers may have obtained themhigh CVSS (7.2)high EPSS score (74.7%)can lead to full system compromise if IIS runs as administratorpotential pivot point to connected networks

Exploitability

Actively exploited — confirmed by CISA KEV

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Cityworks with office companion: <23.10<23.1015.8.9

Cityworks: <15.8.9<15.8.915.8.9

Remediation & Mitigation

0/5

Do now

0/2

HOTFIXUpdate Cityworks to version 15.8.9 or 23.10 immediately

HARDENINGReview and reconfigure IIS identity permissions to run without local or domain administrative privileges according to Cityworks Support Portal release notes

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGRestrict attachment directory root configuration to folders/subfolders containing only attachments; remove any broad directory access

HARDENINGAudit Cityworks administrative accounts and disable or rotate credentials for any inactive or shared accounts

HARDENINGRestrict network access to Cityworks servers to only authorized administrative workstations and utility management staff

CVEs (1)

CVE-2025-0994

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/247e9bb0-9576-4c05-a19f-ceae038166ee

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.