EXPLOITED ZERO-DAY: **CISA**: [Trimble Cityworks](https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04 )
Now that it's public, I can confirm that [CVE-2025-0994](https://www.cve.org/CVERecord?id=CVE-2025-0994 ) (7.2 high) remote code execution is an exploited zero-day. Quoting Trimble [internal communication](https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0? ):
> These changes address a recently discovered vulnerability enabling an external actor to exploit a deserialization vulnerability for remote code execution (RCE) against a customer's Microsoft Internet Information Services (IIS) web server
Indicators of compromise are on page 2 of the Trimble communication page* (thanks Catalin Cimpanu (npub1s69…rmen))
#threatintel #zeroday #trimble #cityworks #activeexploitation #eitw #CVE_2025_0994 #infosec #cybersecurity #cyberthreatintelligence #vulnerability #CTI
Not Simon 🐐
npub14g…xznd6
2025-02-06 15:42:20 UTC
Author Public Key
npub14g0mj0fmn0sepfuhp2wupyk7d8xyz7rezpmrx2gfsav9vxlwxypq4xznd6Seen on
wss://relay.momostr.pinkPublished at
2025-02-06 15:42:20 UTCEvent JSON
{
"id": "7c419ebf5d408c9ee249e482cceac127bfce89d0dc1cdc11762c9cbcec725c10",
"pubkey": "aa1fb93d3b9be190a7970a9dc092de69cc41787910763329098758561bee3102",
"created_at": 1738856540,
"kind": 1,
"tags": [
[
"t",
"eitw"
],
[
"t",
"activeexploitation"
],
[
"proxy",
"https://infosec.exchange/@screaminggoat/113957702270079889",
"web"
],
[
"t",
"trimble"
],
[
"t",
"cityworks"
],
[
"t",
"vulnerability"
],
[
"t",
"infosec"
],
[
"t",
"threatintel"
],
[
"t",
"cve_2025_0994"
],
[
"t",
"cybersecurity"
],
[
"p",
"868a45a1b5adcf4897a95cb07885383bb4e8d113d8012cea755381665b216bb1"
],
[
"t",
"cyberthreatintelligence"
],
[
"t",
"zeroday"
],
[
"t",
"cti"
],
[
"proxy",
"https://infosec.exchange/users/screaminggoat/statuses/113957702270079889",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/screaminggoat/statuses/113957702270079889",
"pink.momostr"
],
[
"-"
]
],
"content": "EXPLOITED ZERO-DAY: **CISA**: [Trimble Cityworks](https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04 )\nNow that it's public, I can confirm that [CVE-2025-0994](https://www.cve.org/CVERecord?id=CVE-2025-0994 ) (7.2 high) remote code execution is an exploited zero-day. Quoting Trimble [internal communication](https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0? ):\n\n\u003e These changes address a recently discovered vulnerability enabling an external actor to exploit a deserialization vulnerability for remote code execution (RCE) against a customer's Microsoft Internet Information Services (IIS) web server\n\nIndicators of compromise are on page 2 of the Trimble communication page* (thanks nostr:npub1s69ytgd44h8539aftjc83pfc8w6w35gnmqqje6n42wqkvkepdwcs7mrmen)\n\n#threatintel #zeroday #trimble #cityworks #activeexploitation #eitw #CVE_2025_0994 #infosec #cybersecurity #cyberthreatintelligence #vulnerability #CTI",
"sig": "7e2cbb358e87c406dfe825aafd8ba50e33f21a0919c926c6e57f2d1c98dce5c71f183b9a29ab17eb672d8a50f81d2fb6811e1072b4e5255084be4d138ecb647d"
}