Hackers are exploiting a high-severity remote code execution (RCE) flaw in Cityworks deployments — a GIS-centric asset and work order management software — to execute codes on a customers’ Microsoft web servers.
In a coordinated advisory with the US Cybersecurity and Infrastructure Security Agency (CISA), Cityworks’ developer Trimble said that the vulnerability, tracked as CVE-2025-0994 with CVSS rating 8.6/10, is a severe deserialization flaw and that it is working on a fix that will be released in the next software update.
US Cities including Greeley, Baltimore County, and Newport News, along with critical utilities such as Sacramento Suburban Water District and Bay County Road Commission, depend on Cityworks for asset management. A breach could lead to service disruptions, data exposure, and public safety risks, highlighting the need for prompt patching of this vulnerability.
