Remote Code Execution in Trimble Cityworks Deserialization

Successful exploitation allows authenticated remote code execution on the target IIS web server. In observed intrusions, attackers used the vulnerability for initial access and then deployed IIS web shells, staged files for exfiltration, performed reconnaissance, and delivered additional payloads including Rust-based loaders, Cobalt Strike, and VShell. This can result in full compromise of the Cityworks application environment, persistence on the web server, follow-on lateral movement, and access to sensitive municipal or utility-related systems and data.

If immediate patching is not possible, restrict access to Cityworks to only trusted users and networks, remove unnecessary internet exposure, and tightly limit reachability to the IIS-hosted application. Monitor IIS logs, application logs, and filesystem locations commonly used for web shells and staging. Hunt for post-exploitation artifacts described in public reporting, including suspicious PowerShell activity, anomalous child processes from IIS worker processes, unexpected files in %TEMP% and upload directories, and outbound connections to attacker-controlled infrastructure. Enforce least privilege for Cityworks accounts and isolate the hosting server from sensitive internal systems where possible.

Upgrade Trimble Cityworks to version 15.8.9 or later and Cityworks with Office Companion to version 23.10 or later. Apply Trimble-issued fixes and review vendor advisories for any additional hardening guidance and indicators of compromise. Because exploitation has been observed in the wild, organizations should also investigate affected IIS servers for signs of compromise, including unauthorized web shells, suspicious executables in temporary directories, staged archives in web-accessible paths, and known malicious network indicators.