Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.
References
| Link | Resource |
|---|---|
| https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0? | Vendor Advisory |
| https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04 | Third Party Advisory US Government Resource |
Configurations
Configuration 1 (hide)
|
History
12 Feb 2025, 19:29
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Trimble
Trimble cityworks |
|
| CPE | cpe:2.3:a:trimble:cityworks:*:*:*:*:*:*:*:* | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
| References | () https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0? - Vendor Advisory | |
| References | () https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04 - Third Party Advisory, US Government Resource |
06 Feb 2025, 17:15
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server. | |
| CWE | ||
| References |
|
06 Feb 2025, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-02-06 16:15
Updated : 2025-02-12 19:29
NVD link : CVE-2025-0994
Mitre link : CVE-2025-0994
JSON object : View
Products Affected
trimble
- cityworks
CWE
No CWE.