Breach cyber

Trimble Cityworks

May 23, 2025 1 min read
Trimble Cityworks

Chinese-speaking hackers exploited a vulnerability in Trimble Cityworks software to breach multiple local governing bodies across the United States. The attackers used Rust-based malware to deploy Cobalt Strike beacons and VSHell malware, which provided long-term persistent access. The attacks started in January 2025 and targeted systems related to utilities management. The security flaw, CVE-2025-0994, is a high-severity deserialization vulnerability. Federal agencies were warned to patch immediately.

Source: https://www.bleepingcomputer.com/news/security/chinese-hackers-breach-us-local-governments-using-cityworks-zero-day/

TPRM report: https://scoringcyber.rankiteo.com/company/cityworks-azteca-systems-inc-

"id": "cit517052325",
"linkid": "cityworks-azteca-systems-inc-",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "",
"explanation": "Attack with significant impact with customer data leaks"
{'affected_entities': [{'industry': 'Public Works',
                        'location': 'United States',
                        'name': 'Local governing bodies',
                        'type': 'Government'}],
 'attack_vector': 'Deserialization Vulnerability',
 'date_detected': '2025-01-01',
 'description': 'Chinese-speaking hackers have exploited a now-patched Trimble '
                'Cityworks zero-day to breach multiple local governing bodies '
                'across the United States.',
 'impact': {'systems_affected': 'Microsoft Internet Information Services (IIS) '
                                'servers'},
 'initial_access_broker': {'backdoors_established': ['Cobalt Strike beacons',
                                                     'VSHell malware'],
                           'entry_point': 'Deserialization Vulnerability',
                           'high_value_targets': 'Utilities management systems',
                           'reconnaissance_period': 'January 2025'},
 'motivation': 'Long-term persistent access',
 'post_incident_analysis': {'corrective_actions': 'Patching vulnerabilities',
                            'root_causes': 'Deserialization Vulnerability'},
 'recommendations': ['Patch immediately'],
 'references': [{'source': 'Cisco Talos'},
                {'source': 'U.S. Cybersecurity and Infrastructure Security '
                           'Agency (CISA)'}],
 'regulatory_compliance': {'regulatory_notifications': ['CISA catalog']},
 'response': {'containment_measures': ['Patching vulnerabilities']},
 'threat_actor': 'UAT-6382',
 'title': 'Trimble Cityworks Zero-Day Exploit by Chinese-Speaking Hackers',
 'type': 'Cyber Attack',
 'vulnerability_exploited': 'CVE-2025-0994'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.