Hackers are exploiting a high-severity distant code execution (RCE) flaw in Cityworks deployments — a GIS-centric asset and work order administration software program — to execute codes on a clients’ Microsoft net servers.
In a coordinated advisory with the US Cybersecurity and Infrastructure Safety Company (CISA), Cityworks’ developer Trimble stated that the vulnerability, tracked as CVE-2025-0994 with CVSS score 8.6/10, is a extreme deserialization flaw and that it’s engaged on a repair that will probably be launched within the subsequent software program replace.
US Cities together with Greeley, Baltimore County, and Newport Information, together with essential utilities equivalent to Sacramento Suburban Water District and Bay County Highway Fee, rely on Cityworks for asset administration. A breach may result in service disruptions, information publicity, and public security dangers, highlighting the necessity for immediate patching of this vulnerability.
