Trimble Cityworks <=15.8.9 & OfficeComp <=23.10 Deserial RCE via IIS
CVE-2025-0994 Published on February 6, 2025
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customers Microsoft Internet Information Services (IIS) web server.
Known Exploited Vulnerability
This Trimble Cityworks Deserialization Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server.
The following remediation steps are recommended / required by February 28, 2025: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2025-0994 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2025-0994
Want to know whenever a new CVE is published for Trimble Cityworks? stack.watch will email you.
Affected Versions
Trimble Cityworks:- Before 15.8.9 is affected.
- Before 23.10 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.