EXECUTIVE SUMMARY:
CVE-2025-0994 is a high-severity deserialization vulnerability affecting Trimble Cityworks, a widely used asset management and work order software designed for local governments and utilities. This software is critical for managing infrastructure sectors such as water and wastewater systems, energy, transportation, government facilities, and communications. The vulnerability impacts Cityworks versions prior to 15.8.9 and Cityworks with Office Companion versions before 23.10. Exploitation of this flaw allows authenticated attackers to execute remote code (RCE) on a target’s Microsoft Internet Information Services (IIS) web server. This poses a significant risk to organizations relying on Cityworks, as successful exploitation can lead to unauthorized access and control over critical systems. Evidence suggests that threat actors are actively exploiting this vulnerability to deploy malicious payloads, including custom Rust-based loaders, obfuscated JavaScript, and tools like Cobalt Strike and VShell, which are commonly used in advanced attacks.
The vulnerability enables attackers to deliver malicious payloads into the victim’s environment. Indicators of compromise reveal the use of custom Rust-based loaders capable of injecting VShell and Cobalt Strike into memory. Additionally, an obfuscated JavaScript payload was found in the “%TEMP%” folder, along with three malicious executables featuring randomized alphanumeric filenames. Two files masquerading as legitimate services were also identified. These malicious files were likely downloaded from threat actor-controlled Cobalt Strike C2 servers. Staging infrastructure included IP addresses which have been validated as Cobalt Strike C2 servers. Other threat actor-controlled IPs and domains were also observed. At the time of analysis, 111 exposed Cityworks instances were identified, with 21% being vulnerable, predominantly located in the United States, including multiple .gov domains.
CVE-2025-0994 represents a significant threat to organizations using Trimble Cityworks, particularly those in critical infrastructure sectors. The vulnerability’s exploitation allows attackers to execute remote code, deploy malicious payloads, and potentially gain control over critical systems. The presence of IoCs, including obfuscated JavaScript, custom loaders, and Cobalt Strike C2 infrastructure, underscores the advanced nature of the attacks. With a substantial number of exposed and vulnerable instances, the risk of widespread exploitation is high. Organizations must remain vigilant and take necessary steps to mitigate this vulnerability to protect their assets and infrastructure from potential compromise.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Execution | T1203 | Exploitation for Client Execution |
| Persistence | T1543 | Create or Modify System Process |
| Defense Evasion | T1078 | Valid Accounts |
| T1055 | Process Injection | |
| T1140 | Deobfuscate/Decode Files or Information | |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1012 | Query Registry |
| Lateral Movement | T1021 | Remote Services |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1567 | Exfiltration Over Web Service |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/xe-group-exploits-zero-day-vulnerabilities-in-veracore-cve-2024-57968-cve-2025-25181/
Kindly exclude this link in the advisory mail:
https://intezer.com/blog/research/xe-group-exploiting-zero-days/