Table of Contents
February 8, 2025
|6m
How to Fix CVE-2025-0994: Remote Code Execution Vulnerability in Trimble Cityworks IIS Web Server?
Trimble Cityworks, a widely used platform for local government and public works management, has a critical vulnerability that demands immediate attention. CVE-2025-0994 is a remote code execution (RCE) vulnerability that could allow attackers to compromise systems running vulnerable versions of Cityworks. This article provides a comprehensive guide for security professionals to understand, detect, and remediate this flaw, ensuring the security of their Cityworks deployments and the sensitive data they manage. The goal is to help security professionals remediate the vulnerability and protect their products from being exploited.
A Short Introduction to Trimble Cityworks
Trimble Cityworks is a comprehensive GIS-centric asset management platform designed for local government and public works organizations. It helps these organizations manage infrastructure assets, streamline workflows, and improve citizen services. Cityworks integrates with Esri's ArcGIS platform, providing a powerful combination of GIS mapping and asset management capabilities. The platform supports various functions, including asset inventory, work order management, permitting, inspections, and citizen engagement.
Summary of CVE-2025-0994
CVE ID: CVE-2025-0994
Description: Deserialization of Untrusted Data leading to Remote Code Execution
CVSS Score: 8.6 (High)
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE-2025-0994 is a critical vulnerability affecting Trimble Cityworks versions prior to 23.10. This flaw stems from the deserialization of untrusted data, which could allow an authenticated user to perform a remote code execution (RCE) attack against a customer's Microsoft Internet Information Services (IIS) web server. The vulnerability exists because the application does not properly validate or sanitize the data being deserialized, allowing an attacker to inject malicious code that will be executed by the server. An attacker with valid credentials can leverage this vulnerability to gain complete control over the affected IIS web server.
Impact of CVE-2025-0994
The impact of CVE-2025-0994 is significant. Successful exploitation allows an authenticated user to execute arbitrary code remotely on the affected IIS web server. This level of access could allow attackers to access sensitive data, modify system configurations, or use the server as a launching point for further attacks within the network. A compromised IIS server can lead to data breaches, service disruptions, and reputational damage. Given the high CVSS base score of 8.6, organizations must prioritize the remediation of this vulnerability to protect their Cityworks deployments. The vulnerability has been added to the CISA Known Exploited Vulnerabilities list, indicating active exploitation in the wild.
Products Affected by CVE-2025-0994
The following versions of Trimble Cityworks are affected by CVE-2025-0994:
|
Product
|
Version(s) Affected
|
|---|---|
|
Trimble Cityworks
|
Prior to 23.10
|
|
Cityworks Office Companion
|
Prior to 23.10
|
Trimble Cityworks version 23.10 and later have addressed this vulnerability.
How to Check Your Product is Vulnerable?
Several methods can be used to determine if your Trimble Cityworks deployment is vulnerable to CVE-2025-0994:
1. Version Verification: The most straightforward method is to check the version of your Cityworks instance. Log in to the Cityworks web interface and navigate to the "About" or "System Information" section. If the version is earlier than 23.10, your system is vulnerable.
2. Nuclei Template: Use the provided Nuclei template to automate the detection process. Nuclei is a fast and customizable vulnerability scanner based on YAML-based templates. The template provided in the original document extracts the version from the HTML body and determines if the instance is vulnerable.
To run the script:
Download Nuclei from https://github.com/projectdiscovery/nuclei/releases.
Copy the template to your local system.
Run the following command:
nuclei -u <your_cityworks_url> -t template.yaml
3. Manual Inspection: Review the Cityworks IIS web server logs for suspicious activities, such as unusual authentication attempts or unexpected code execution. This method requires a deep understanding of Cityworks' normal operations and potential attack patterns.
How to Fix CVE-2025-0994?
The primary remediation strategy for CVE-2025-0994 is to upgrade to a patched version of Trimble Cityworks. If immediate upgrading is not feasible, several mitigation measures can be implemented to reduce the risk of exploitation.
Upgrade Trimble Cityworks: The most effective solution is to upgrade to version 23.10 or later. This version contains the necessary patch to address the deserialization vulnerability.
Implement Strong Authentication Mechanisms: Enforce strong password policies and consider implementing multi-factor authentication (MFA) to protect against unauthorized access.
Limit User Privileges: Apply the principle of least privilege by granting users only the minimum necessary permissions to perform their tasks. This can reduce the impact of a successful exploit.
Monitor IIS Web Server Logs: Regularly monitor IIS web server logs for suspicious activities, such as unusual authentication attempts or unexpected code execution. Implement security logging mechanisms to notify security personnel of potential threats.
Implement Network Segmentation: Isolate vulnerable systems within the network to prevent attackers from moving laterally to other critical assets.
Keep Systems Updated: Ensure that all systems, especially Microsoft IIS, are updated with the latest security patches. This can help prevent attackers from exploiting other vulnerabilities to gain access to the system.
Web Application Firewall (WAF): Deploy a WAF in front of the Cityworks IIS server. Configure the WAF with rules to detect and block common deserialization attacks. This can provide an additional layer of protection against exploitation.
Important Considerations:
Backup Before Upgrading: Always back up your Cityworks database and configuration files before performing any upgrades. This will allow you to restore your system in case of any issues during the upgrade process.
Test Upgrades in a Non-Production Environment: Before applying upgrades to your production environment, test them in a non-production environment to ensure compatibility and stability.
Monitor Official Channels: Monitor official channels for any security updates or patches related to this vulnerability.
By implementing these remediation and mitigation strategies, organizations can significantly reduce the risk posed by CVE-2025-0994 and protect their Cityworks deployments from remote code execution attacks.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
