Deserialization bug allowed RCE on Microsoft IIS: The vulnerability, which impacts Cityworks versions before 15.8.9 and Cityworks with Office Companion versions before 23.10, is a deserialization flaw that was assigned a severity rating of CVSS 8.6 out of 10.On successful exploitation, the bug allows authenticated attackers to execute remote code (RCE) on a target’s Microsoft Internet Information Services (IIS) web server, a significant risk considering it could lead to unauthorized access and control over critical systems. Trimble had fixed the issue with two January rollouts, Cityworks 15.8.9 and Office Companion 23.10, and urged customers to update affected systems promptly.”On premise customers should install the updated version immediately,” the company had said. “These updates will be automatically applied to all Cityworks Online (CWOL) deployments.”As added mitigation steps, Trimble recommended that its on-premise customers not run IIS with local or domain-level administrative privileges on any site, a configuration automatically set for CWOL users.Inappropriate attachment directory configurations were also flagged by the company with instructions to limit these configurations to folders/subfolders containing only attachments. Talos reported that zero-day exploits aren’t too shocking, considering an Eventus scan in February found 111 publicly accessible Cityworks instances, out of which approximately 21% were found to be vulnerable to CVE-2025-0994.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3994082/beijing-may-have-breached-us-government-systems-before-cityworks-plugged-a-critical-flaw.html
