Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-0994

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.

Published

2025-02-06T16:15:41.493

Last Modified

2025-10-30T15:54:12.517

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses

Type: Secondary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	trimble	cityworks	< 15.8.9	Yes
Application	trimble	cityworks	< 23.10	Yes

References

https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0? Vendor Advisory ([email protected])
https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04 Third Party Advisory, US Government Resource ([email protected])
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994 US Government Resource (134c704f-9b21-4f2e-91b3-4a467353bcc0)