QwikSec

Security Database

CVE

CWE

Training

CVE-2025-0994

Published: Feb 6, 2025

Modified: Oct 21, 2025

PUBLISHED

Description

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.

Vendor	Product	Versions
Trimble	Cityworks	affected `0 - < 15.8.9`
Trimble	Cityworks (with office companion)	affected `0 - < 23.10`

Weaknesses (CWE)

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04

government-resource

third-party-advisory

https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2025-0994 - Security Vulnerability | QwikSec