github - ghsa-m5q8-8x36-w25p

ghsa-m5q8-8x36-w25p

Vulnerability from github

Published

2025-02-06 18:31

Modified

2025-10-22 00:33

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Details

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.

Show details on source website

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-0994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-06T16:15:41Z",
    "severity": "HIGH"
  },
  "details": "Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer\u2019s Microsoft Internet Information Services (IIS) web server.",
  "id": "GHSA-m5q8-8x36-w25p",
  "modified": "2025-10-22T00:33:12Z",
  "published": "2025-02-06T18:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0994"
    },
    {
      "type": "WEB",
      "url": "https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2025-0994 (GCVE-0-2025-0994)

Vulnerability from cvelistv5

Published

2025-02-06 16:01

Modified

2025-10-21 22:55

Severity ?

8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-502 - Deserialization of Untrusted Data

Summary

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.

References

URL

Tags

	https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04	government-resource, third-party-advisory
	https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?	vendor-advisory

Impacted products

Vendor

Product

Version

Version: 0 < 15.8.9

Cityworks (with office companion)

Version: 0 < 23.10

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0994",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-15T19:53:25.658943Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-02-07",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:30.136Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0994"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-02-07T00:00:00+00:00",
            "value": "CVE-2025-0994 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cityworks",
          "vendor": "Trimble",
          "versions": [
            {
              "lessThan": "15.8.9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Cityworks (with office companion)",
          "vendor": "Trimble",
          "versions": [
            {
              "lessThan": "23.10",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Trimble"
        }
      ],
      "datePublic": "2025-02-06T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer\u2019s Microsoft Internet Information Services (IIS) web server."
            }
          ],
          "value": "Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer\u2019s Microsoft Internet Information Services (IIS) web server."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "CISA has received reports of this vulnerability being actively exploited.\u003cbr\u003e"
            }
          ],
          "value": "CISA has received reports of this vulnerability being actively exploited."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-06T16:55:26.352Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "government-resource",
            "third-party-advisory"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-05-docx/0?"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025). Information on the updated versions will be available through the normal channels via the [Cityworks Support Portal](\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://cityworks.my.site.com/)(Login\"\u003ehttps://cityworks.my.site.com/)(Login\u003c/a\u003e required). On-premise customers should install the updated version immediately. These updates will be automatically applied to all Cityworks Online (CWOL) deployments.\u003cbr\u003e"
            }
          ],
          "value": "Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025). Information on the updated versions will be available through the normal channels via the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login  required). On-premise customers should install the updated version immediately. These updates will be automatically applied to all Cityworks Online (CWOL) deployments."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Trimble has observed that some on-premise deployments may have overprivileged  Internet Information Services (IIS) identity permissions. For avoidance of doubt, and in accordance with Trimble\u0027s technical documentation, IIS should not be run with local or domain level administrative privileges on any site. Please refer to the direction in the latest release notes in the [Cityworks Support Portal](\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://cityworks.my.site.com/)(Login\"\u003ehttps://cityworks.my.site.com/)(Login\u003c/a\u003e required) for more information on how to update IIS identity permissions. Trimble\u0027s CWOL customers have their IIS identity permissions set appropriately and do not need to take this action.\u003cbr\u003e\u003cbr\u003eTrimble has observed that some deployments have inappropriate attachment directory configurations. Trimble recommends that attachment directory root configuration should be limited to folders/subfolders which only contain attachments. Please refer to the direction in the latest release notes in the [Cityworks Support Portal](\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://cityworks.my.site.com/)(Login\"\u003ehttps://cityworks.my.site.com/)(Login\u003c/a\u003e required) for more information on how to ensure proper configuration of the attachment directory.\u003cbr\u003e"
            }
          ],
          "value": "Trimble has observed that some on-premise deployments may have overprivileged  Internet Information Services (IIS) identity permissions. For avoidance of doubt, and in accordance with Trimble\u0027s technical documentation, IIS should not be run with local or domain level administrative privileges on any site. Please refer to the direction in the latest release notes in the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login  required) for more information on how to update IIS identity permissions. Trimble\u0027s CWOL customers have their IIS identity permissions set appropriately and do not need to take this action.\n\nTrimble has observed that some deployments have inappropriate attachment directory configurations. Trimble recommends that attachment directory root configuration should be limited to folders/subfolders which only contain attachments. Please refer to the direction in the latest release notes in the [Cityworks Support Portal]( https://cityworks.my.site.com/)(Login  required) for more information on how to ensure proper configuration of the attachment directory."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-0994",
    "datePublished": "2025-02-06T16:01:20.000Z",
    "dateReserved": "2025-02-03T18:03:05.707Z",
    "dateUpdated": "2025-10-21T22:55:30.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.