A significant security breach has been reported involving Trimble Cityworks, a specialized software used by local U.S. governments and public agencies to manage infrastructure services. Recent findings by Talos Intelligence reveal that Chinese hackers exploited a now-patched high-severity flaw, identified as CVE-2025-0994, allowing them remote code execution and the delivery of malware.
The exploitation of this flaw began as early as January 2025, according to a blog by Talos, attributing the attacks to a group referred to as ‘UAT-6382’. The intelligence report notes a widespread infiltration into enterprise networks of local governing bodies, emphasizing the sophisticated nature of the threat actors suspected, who are believed to operate in Chinese.
The Cybersecurity and Infrastructure Security Agency (CISA) recognized the critical risks associated with the vulnerability early on, issuing warnings in February. In response, Trimble swiftly released security updates in January to mitigate the risks from this flaw. The company urged its customers to apply these updates promptly as the vulnerabilities significantly jeopardized the integrity of critical infrastructure systems.
Malicious actors reportedly utilized advanced tools, including Cobalt Strike and VShell, to facilitate in-depth attacks. These vulnerabilities come from a deserialization issue rated CVSS 8.6, allowing authenticated attackers to execute remote commands on affected systems. The success of these exploits could lead to unauthorized access and control over critical municipal systems.
For more information on recommended mitigation strategies and software updates, stakeholders can refer to CISA’s advisory here and updates from Trimble communicated here.