Trimble Cityworks: CVE-2025-0994: Active Exploitation
Feb. 20, 2025, 8:58 a.m.
Description
A high-severity deserialization vulnerability in Trimble Cityworks, CVE-2025-0994, affects versions before 15.8.9 and Office Companion versions before 23.10. This flaw allows authenticated attackers to execute remote code on Microsoft IIS web servers. Exploitation indicators suggest the use of Rust-based loaders to deploy VShell and Cobalt Strike. Malicious files, including obfuscated JavaScript and executables, were likely downloaded from Cobalt Strike C2 servers. Shodan reveals 111 exposed Cityworks instances, with 21% vulnerable. The majority are in the US, including .gov domains. Organizations are urged to upgrade to patched versions immediately, as CISA has added this CVE to their Known Exploited Vulnerabilities Catalog.
Tags
Date
- Created: Feb. 20, 2025, 2:49 a.m.
- Published: Feb. 20, 2025, 2:49 a.m.
- Modified: Feb. 20, 2025, 8:58 a.m.
Indicators
- f09b51b759dfe7de06fa724bd89592f5b8eae57053d5fb4891e40f24055103fb
- 883d849b94238c26c57c0595ccb95b8c356628887b9a3628bf56e726332af925
- 8a6c735f3608719ec9f46d9c6c5fc196db8c97065957c218b98733a491edd899
- 4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9
- 4b7561e27c87a1895446d7f2b83e2d9fcf71e6d6e8bc99d44818dc39a6ff99d5
- 1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b
- 151a71c43e63db802d41d5d715aa98eb1b236e0a6441076a8d30fd93990416b4
- 14a072113baa0a1e1e2b6044068c7bc972ae5e541a0aec06577b0d6663140079
- 04dc3a16e1e2b4924943805a1cea5e402c4f2304c717ea21fdf43274b8c34a84
- 149.112.117.49
- 31.59.70.13
- 31.59.70.11
- 23.247.136.238
- ifode.xyz
- cdn.lgaircon.xyz
- cdn.phototagx.com
Attack Patterns
- VShell
- Cobalt Strike - S0154
- T1588.001
- T1588.002
- T1027.002
- T1059.007
- T1071.001
- T1036.005
- T1573
- T1082
- T1105
- T1027
Additional Informations
- Communications
- Energy
- Transportation
- Government
- United States of America