CISA Known Exploited Vulnerability (KEV)
Trimble Cityworks Deserialization Vulnerability
February 7, 2025
February 28, 2025
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.
References
Weakness Enumeration
| CWE-ID | CWE Name |
|---|---|
|
CWE-502 |
Deserialization of Untrusted Data |