Advisory 79: Trimble Releases Security Updates to Address a Vulnerability Impacting its Cityworks Server AMS
Release Date: 10th of February 2025
Impact : HIGH / CRITICAL
TLP Rating: Clear 
CERT Vanuatu (CERTVU) and the Department of Communication and Digital Transformation (DCDT) provide the following advisory.
This alert is relevant to Organizations who utilize the above products. This alert is intended to be understood by technical users.
What is it?
Trimble has released security updates for vulnerability (CVE-2025-0994) impacting its Cityworks Server AMS (Asset Management System).
What are the Systems affected?
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable.
What this means?
This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web Server.
Mitigation process
CERTVU encourages users and administrators to search for indicators of compromise (IOCs) and apply the necessary updates and workarounds.
References
1. https://www.cisa.gov/news-events/alerts/2025/02/07/trimble-releases-security-updates-address-vulnerability-cityworks-software
2. https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-06-docx/0?
3. https://www.cve.org/CVERecord?id=CVE-2025-0994
- Download advisory (English): Trimble Releases Security Updates to Address a Vulnerability
- Download advisory (French): Trimble publie des mises à jour de sécurité pour remédier à une vulnérabilité