Trimble’s GIS Software Vulnerability Targeted in Ongoing Cyberattacks
Chinese-speaking threat actors have exploited a critical zero-day vulnerability in Trimble’s Cityworks software, compromising multiple local government networks across the United States. The cyberattacks, active since January 2025, have been attributed to a threat group tracked as UAT-6382.
The attackers used a deserialization flaw, now tracked as CVE-2025-0994, to perform remote code execution on Microsoft Internet Information Services (IIS) servers. Once inside, they deployed multiple tools to maintain persistent access and lateral movement.
“The attackers exploited a flaw in Cityworks to execute code on local government servers, enabling full remote access and control,”
— Cisco Talos researchers
Attack Method and Malware Deployed
Cityworks is a widely used asset management and GIS-based software suite for public sector services. The attackers exploited a vulnerability in the software’s handling of serialized data to gain access.
Once inside the system, the following malicious tools were deployed:
- Cobalt Strike beacons for command and control
- VSHell malware for remote access
- Web shells for persistent entry points
- Custom Chinese-language tools tailored for post-exploitation
“The threat actor deployed both off-the-shelf and customized malware components to embed themselves deeply into affected infrastructure.”
— Cisco Talos
Focused Intrusions Into Public Utilities Networks
The group specifically targeted municipal systems managing utilities and infrastructure. Cisco’s investigation revealed that after gaining a foothold, the attackers attempted to expand into networks managing water, transportation, and other public services.
The scope of the breach and the nature of tools used indicate a strategic focus on long-term espionage and system control rather than opportunistic financial gain.
Patch Issued and Immediate Mitigation Urged
Trimble has patched the vulnerability in Cityworks versions 15.8.9 and 23.10. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory, urging all users of the affected software to upgrade without delay.
Recommended actions for Cityworks users:
- Apply all security patches immediately
- Review and limit IIS server permissions
- Reconfigure attachment directories for restricted access
- Conduct full threat hunting and log review for indicators of compromise
“Organizations must patch vulnerable versions immediately and audit access configurations to prevent further exploitation.”
— CISA Advisory
Ongoing Threat to Critical Infrastructure
This campaign is the latest in a string of targeted cyberattacks against U.S. infrastructure using software supply chain or zero-day vulnerabilities. It underscores the importance of timely patch management and vigilance across government IT environments.
