Patch now! Malicious code attacks on Trimble Cityworks observed

Admins who manage the Trimble Cityworks asset management software need to protect their systems from ongoing attacks by installing a security update.

Employees use Cityworks to manage capital resources and workflows, among other things. Because the software is used in public authorities or utility companies, admins should not hesitate too long. The US security authority Cybersecurity & Infrastructure Security Agency (CISA) warns of the attacks in an article. It is not known to what extent the attacks are currently taking place.

Malicious code attacks

In a warning message, Trimble states that on-premises customers must install versions 15.8.9 or 23.10, which are protected against the attacks. All previous versions are said to be vulnerable. Cityworks Online Deployments (CWOL) are already protected.

In the attacks, attackers use a vulnerability (CVE-2025-0994, CVSS 8.6, risk"high") to execute malicious code in the context of Microsoft's Internet Information Services (IIS) web server. It is currently not known how attacks work in detail. The description of the vulnerability states that attackers must be authenticated for a successful attack.

In the warning message, admins will find information on which Indicators of Compromise (IOCs) they can use to recognize systems that have already been attacked. These include certain files and IP addresses.

Protect instances more effectively

In addition to installing the security patch, the developers also provide other mandatory security tips. For example, IIS should not be run with admin rights in all areas. It should also be ensured that attachment directories are configured securely. Admins can find tips for this in the Cityworks support portal.

(des)