EXPLOITED ZERO-DAY: CISA: Trimble Cityworks
Now that it's public, I can confirm that CVE-2025-0994 (7.2 high) remote code execution is an exploited zero-day. Quoting Trimble internal communication:

These changes address a recently discovered vulnerability enabling an external actor to exploit a deserialization vulnerability for remote code execution (RCE) against a customer's Microsoft Internet Information Services (IIS) web server

Indicators of compromise are currently restricted, looking to see if Trimble approved for sharing

#threatintel #zeroday #trimble #cityworks #activeexploitation #eitw #CVE_2025_0994 #infosec #cybersecurity #cyberthreatintelligence #vulnerability #CTI

CISA: CISA Adds One Known Exploited Vulnerability to Catalog
CVE-2025-0994 (8.6 high) Trimble Cityworks Deserialization Vulnerability

cc: @ntkramer rare Friday KEV

#cisa #cisakev #kev #eitw #zeroday #vulnerability #trimble #cityworks #activeexploitation #infosec #cybersecurity #KnownExploitedVulnerabilitiesCatalog

@screaminggoat @ntkramer Sooo, deserialization, IIS... have they left their ViewState key exposed? /speculation

@buherator @ntkramer I swear to god, if they deployed godzilla post-exploitation framework I'm going to blow up China.

@screaminggoat @ntkramer Yeah the payload definitely doesn't match.

CISA: Trimble Releases Security Updates to Address a Vulnerability in Cityworks Software
CISA puts out a standalone security alert about Trimble Cityworks Server Asset Management System (AMS), which was exploited with zero-day CVE-2025-0994.

IOC:

4b7561e27c87a1895446d7f2b83e2d9fcf71e6d6e8bc99d4 4818dc39a6ff99d5
4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9
8a6c735f3608719ec9f46d9c6c5fc196db8c97065957c218b98733a491edd899
883d849b94238c26c57c0595ccb95b8c356628887b9a3628bf56e726332af925
151a71c43e63db802d41d5d715aa98eb1b236e0a6441076a8d30fd93990416b4
1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e1 26e50caa1e43250b
14a072113baa0a1e1e2b6044068c7bc972ae5e541a0aec06577b0d6663140079
04dc3a16e1e2b4924943805a1cea5e402c4f2304c717ea21fdf43274b8c34a84
f09b51b759dfe7de06fa724bd89592f5b8eae57053d5fb4891e40f24055103fb
C:\windows\temp\z1.exe
C:\windows\temp\z2.exe
C:\windows\temp\z44.exe
C:\windows\temp\z55.exe
C:\Windows\Temp\UDGEZR.exe
C:\Windows\Temp\z55.exe_winpty\winpty-agent.exe
C:\Windows\Temp\z55.exe_winpty\winpty.dll
192.210.239[.]172:3219
192.210.239[.]172:4219
23.247.136[.]238
31.59.70[.]13
31.59.70[.]11
149.112.117[.]49
cdn[.]phototagx[.]com  
https[:]//cdn.lgaircon[.]xyz[:]443/jquery-3.3.1.min.js 
https[:]//192.210.239[.]172/messages/73KWf-o0-s0hxVCDJp1sfAHRcgdm7 
192.210.137[.]81 
192.210.183[.]118 
ifode[.]xyz 

#cisa #CVE_2025_0994 #kev #eitw #zeroday #vulnerability #trimble #cityworks #activeexploitation #infosec #cybersecurity #KnownExploitedVulnerabilitiesCatalog