Cisco Talos has issued a critical alert regarding active cyberattacks exploiting a zero-day vulnerability identified as CVE-2025-0994 in Trimble Cityworks, a widely utilized platform for managing public assets. The research from Cisco Talos, detailed on Hackread.com, indicates that a sophisticated threat group, known as UAT-6382, has been targeting local government organizations in the United States since January 2025.
The vulnerability carries a high severity CVSS score of 8.6 and enables remote code execution, allowing attackers to execute malicious programs on affected systems without any need for authentication. Cisco Talos and the Cybersecurity and Infrastructure Security Agency (CISA) have both issued warnings about the implications of this serious flaw, specifically pointing out that it affects Cityworks versions before 15.8.9 and Office Companion versions prior to 23.10.
Once the attackers gained access, UAT-6382 deployed stealthy web shells like AntSword and chinatso/Chopper on compromised servers to maintain access. Furthermore, they utilized a custom-built Rust-based loader known as TetraLoader to facilitate the persistent installation of additional malware such as Cobalt Strike and VSHell. Cisco Talos confirmed this intrusion had led to significant compromises within enterprise networks of local U.S. government bodies.
Research suggests that UAT-6382 consists of “Chinese-speaking threat actors,” as evidenced by the use of Chinese language in the web shells and the development of TetraLoader through a framework known as MaLoader, which was also created in Simplified Chinese. The group has shown particular interest in systems associated with utility management, indicating a potential target for data theft and long-term access strategies.
As part of their operations, which began at the start of 2025, the hackers are reported to have conducted thorough reconnaissance on compromised systems, employing PowerShell commands to deploy backdoors and facilitating their control over infected networks. The threat actors have engaged in scanning for Cityworks-related directories and sensitive files to exploit for further gain.
To mitigate the risks associated with this vulnerability, Cityworks has urged users to implement the provided security patches without delay. Experts recommend organizations to monitor ongoing suspicious activities closely and utilize security products such as Cisco Secure Endpoint, Secure Firewall, and Umbrella.