Hackers Exploit Cityworks RCE Bug to Breach Microsoft IIS Servers

Overview of the Cityworks Vulnerability

Software vendor Trimble has issued a security warning regarding active exploitation of a deserialization vulnerability in Cityworks, which is being used by hackers to execute remote commands on Microsoft IIS servers. Threat actors leveraging this flaw have been observed deploying Cobalt Strike beacons, a well-known penetration testing tool frequently repurposed by cybercriminals for persistent network access.

Cityworks is a Geographic Information System (GIS)-centric asset management and work order management software primarily utilized by local governments, utilities, and public works organizations. It aids municipalities in managing public assets, processing work orders, handling permitting and licensing, and streamlining capital planning and budgeting processes.

The critical vulnerability, tracked as CVE-2025-0994, has been assigned a CVSS v4.0 severity score of 8.6, classifying it as a high-risk security issue. This flaw allows authenticated users to execute remote code on targeted Microsoft IIS servers, posing a significant threat to organizations relying on Cityworks for essential infrastructure management.

Active Exploitation and Ongoing Attacks

According to Trimble, threat actors are actively exploiting CVE-2025-0994 to breach customer networks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory recommending that all affected users immediately secure their systems against this attack vector.

Affected software versions include:

Cityworks versions prior to 15.8.9

Cityworks with Office Companion versions before 23.10

Trimble released patches on January 28 and 29, 2025, for Cityworks versions 15.8.9 and 23.10, respectively. While cloud-hosted instances (CWOL) are updated automatically, organizations running on-premises deployments must manually apply the security updates to mitigate risk.

How Hackers Are Exploiting the Flaw

Although CISA has not disclosed the specific attack methodology, Trimble has confirmed that hackers are leveraging CVE-2025-0994 to gain unauthorized access to IIS servers. Key security concerns include overprivileged IIS identity permissions and misconfigured attachment directory settings, both of which can be exploited to escalate privileges and deploy malicious payloads.

Indicators of Compromise (IoCs) and Tools Used in Attacks

Security researchers have identified various Indicators of Compromise (IoCs) associated with this attack, revealing that threat actors have deployed multiple remote access tools, including:

Cobalt Strike Beacons – Used for lateral movement and establishing persistent access within compromised networks.

WinPutty – A modified version of the PuTTY SSH client often used for unauthorized remote connections.

These tools indicate that hackers are not only gaining initial access to networks but are also establishing long-term persistence, enabling further exploitation of the compromised environment.

Connection to Other Recent IIS Server Attacks

Microsoft has also recently issued a warning regarding IIS server breaches involving ViewState code injection attacks. In these attacks, threat actors exploit ASP.NET machine keys that have been exposed online to inject malicious payloads into IIS servers. This underscores a broader trend of hackers actively targeting Microsoft IIS environments with sophisticated attack techniques.

Trimble’s Recommended Security Measures

To mitigate the risk of exploitation, Trimble recommends that organizations using Cityworks take the following actions immediately:

Apply Security Patches: Update to Cityworks 15.8.9 or 23.10 as soon as possible.

Review IIS Permissions: Ensure that IIS identity permissions are not overprivileged and do not operate with local or domain-level administrative rights.

Restrict Attachment Directories: Configure attachment root folders to contain only the necessary files and restrict access as needed.

Once these actions have been completed, Cityworks users can resume normal operations while continuing to monitor for potential threats.

How Organizations Can Defend Against IIS Server Attacks

Given the increased targeting of Microsoft IIS servers, organizations should take proactive steps to secure their environments. Best practices for defending against IIS-related cyberattacks include:

Enforcing Multi-Factor Authentication (MFA): Prevents unauthorized access even if credentials are compromised.

Implementing Web Application Firewalls (WAFs): Helps detect and block malicious requests targeting IIS servers.

Monitoring Network Traffic: Use intrusion detection systems (IDS) and intrusion prevention systems (IPS) to identify unusual activity.

Restricting Unnecessary Services and Ports: Minimizes the attack surface and reduces exposure to vulnerabilities.

Applying Regular Security Patches: Ensures all software and dependencies are updated to the latest versions.

Conducting Regular Security Audits: Helps identify misconfigurations and security gaps before attackers can exploit them.

The Growing Threat of RCE Vulnerabilities in Enterprise Software

The exploitation of CVE-2025-0994 highlights the ongoing risks associated with Remote Code Execution (RCE) vulnerabilities in enterprise software. RCE flaws are among the most critical security issues, as they allow attackers to execute arbitrary code on target systems, leading to potential data breaches, ransomware deployment, or network-wide compromise.

In recent years, cybercriminals have increasingly focused on exploiting RCE vulnerabilities in widely-used applications. This trend has been fueled by the rising adoption of cloud services, remote work environments, and reliance on third-party software solutions like Cityworks.

Conclusion: Strengthening Cybersecurity Defenses

The active exploitation of Cityworks RCE vulnerability (CVE-2025-0994) underscores the critical need for organizations to prioritize cybersecurity measures. Municipalities, utilities, and public sector agencies using Cityworks should act swiftly to patch their systems, review configurations, and implement security best practices to minimize risk.

As hackers continue to evolve their tactics, staying ahead of cyber threats requires continuous monitoring, proactive vulnerability management, and a robust incident response strategy. Organizations must recognize that securing Microsoft IIS servers and enterprise applications is not just an IT priority but a fundamental requirement for safeguarding sensitive data and ensuring operational resilience in the face of escalating cyber threats.