Hackers exploiting bug in popular Trimble Cityworks tool used by local gov’ts

Federal civilian agencies have been ordered to patch a vulnerability impacting Trimble Cityworks — a popular tool used by many governments to manage public infrastructure. 

The Cybersecurity and Infrastructure Security Agency (CISA) released a warning alongside Trimble on Thursday about CVE-2025-0994 after confirming it is being exploited by hackers. Federal civilian agencies have until February 28 to patch the bug. 

Trimble Cityworks is an asset management system used by many local and federal government agencies to manage infrastructure assets for airports, utilities, municipalities and counties.

CISA said the vulnerability allows malicious actors to “potentially conduct remote code execution (RCE) against a customer’s Microsoft Internet Information Services (IIS) web server.”

In a letter to customers, the company said the notice followed “investigations of reports of unauthorized attempts to gain access to specific customers' Cityworks deployments." 

A patch was released on January 29 and the company listed several other actions customers need to take to reduce the exposure of data. Customers should limit permissions connected to Cityworks and the system “should not be run with local or domain level administrative privileges on any site.”

The company also provided indicators of compromise alongside the letter. CISA said Trimble reported the vulnerability to them and Symantec’s Threat Hunter team contributed to the advisory they released about the bug. 

The bug carries a CVSS v4 severity score of 8.4 out of 10. All Cityworks versions prior to 15.8.9 are impacted by the vulnerability. 

Trimble did not respond to requests for comment about what actions the hackers took after exploiting CVE-2025-0994 or where the hackers may be based. 

Trimble is a large Colorado-based technology provider, with more than 11,000 employees across about 40 countries. The company reported a revenue of $875.8 million in the last fiscal quarter. 

The Cityworks tool allows customers to manage critical infrastructure assets from one platform and organize inspections, work orders, permits, operations and more.

About a year ago, agricultural equipment manufacturer AGCO acquired an 85% stake in Trimble's agribusiness for $2 billion in cash. AGCO suffered a ransomware attack in 2022 that impacted its business operations.