Supply chain [SC] Supply Chain

Trimble Cityworks Vulnerability Exploited Against US Local Governments

2025-01-01 [vendor] Trimble Cityworks (GIS asset/work-order management) [cve] CVE-2025-0994
Primary Source ↗

Incident Details

Beginning in early 2025, threat actors exploited CVE-2025-0994, a critical deserialization vulnerability in Trimble Cityworks, to compromise GIS asset and work-order management systems used by multiple US local governments. CISA added this CVE to its Known Exploited Vulnerabilities (KEV) catalog. Approximately 200-plus local government entities across the US that use Cityworks for managing public infrastructure assets, permits, and work orders were potentially affected. Exposed data included GIS asset management data, work-order information, and potentially resident/property data stored in the connected systems. Trimble released patches and CISA issued an advisory urging immediate remediation.

Technical Details

Initial Attack Vector
Attackers exploited a deserialization vulnerability in Trimble Cityworks, a GIS-based work order and asset management system used by local governments, to gain unauthorized access to municipal infrastructure systems
Vendor / Product
Trimble Cityworks (GIS asset/work-order management)
CVE / GHSA References
CVE-2025-0994
Supply Chain Attack
✅ Confirmed third-party / vendor compromise

Timeline

  1. 2025-01-01 Breach occurred
  2. 2025-05-01 Publicly disclosed
  3. 2025-05-01 Customers notified