CVE-2025-0994
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.
| CWE | CWE-502 |
| Vendor | trimble |
| Product | cityworks |
| Published | Feb 6, 2025 |
| Last Updated | Oct 21, 2025 |
⚠️ Actively Exploited — Act Now
Get instant alerts for trimble cityworks
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2025-0994.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Trimble / Cityworks
0 < 15.8.9
Trimble / Cityworks (with office companion)
0 < 23.10
References
cisa.gov: https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04 learn.assetlifecycle.trimble.com: https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0? cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994
Credits
🔍 Trimble