CVE-2025-0994 — Trimble Cityworks Deserialization Vulnerability

Overview

Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server.

https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?; https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04 ; https://nvd.nist.gov/vuln/detail/CVE-2025-0994

Key Details

Property	Value
CVE ID	CVE-2025-0994
Vendor / Product	Trimble — Cityworks
NVD Published	2025-02-06
NVD Last Modified	2025-10-30
CVSS 3.1 Score	8.8
CVSS 3.1 Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
Severity	HIGH
CWE	CWE-502
CISA KEV Added	2025-02-07
CISA KEV Deadline	2025-02-28
Known Ransomware Use	No

CVSS 3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Required Action

CISA BOD 22-01 Deadline: 2025-02-28. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

Date	Event
2025-02-07	Added to CISA Known Exploited Vulnerabilities catalog
2025-02-28	CISA BOD 22-01 remediation deadline

References

Resource	Type
NVD — CVE-2025-0994	Vulnerability Database
CISA KEV Catalog Entry	US Government