← Back to home
ICSA-25-037-04  ·  Published 2025-02-11  ·  View on CISA ICS-CERT ↗

Trimble Cityworks (Update A)

CVSS 7.2 HIGH CISA KEV — Known Exploited

Risk Summary

Successful exploitation of this vulnerability could allow an authenticated user to perform a remote code execution.

CVEs (1)

Remediations

  • Cityworks has released the following update guidance for users:
  • Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025). Information on the updated versions will be available through the normal channels via the Cityworks Support Portal(Login required). On-premise customers should install the updated version immediately. These updates will be automatically applied to all Cityworks Online (CWOL) deployments.
  • Trimble has observed that some on-premise deployments may have overprivileged Internet Information Services (IIS) identity permissions. For avoidance of doubt, and in accordance with Trimble's technical documentation, IIS should not be run with local or domain level administrative privileges on any site. Please refer to the direction in the latest release notes in the Cityworks Support Portal(Login required) for more information on how to update IIS identity permissions. Trimble's CWOL customers have their IIS identity permissions set appropriately and do not need to take this action.
  • Trimble has observed that some deployments have inappropriate attachment directory configurations. Trimble recommends that attachment directory root configuration should be limited to folders/subfolders which only contain attachments. Please refer to the direction in the latest release notes in the Cityworks Support Portal(Login required) for more information on how to ensure proper configuration of the attachment directory.
  • For more information, see Trimble's notification.
  • Cityworks software is incapable of controlling industrial processes, and is not directly part of an ICS.

Affected Vendors

Trimble

Affected Products (2)

Trimble · Cityworks <15.8.9
Trimble · Cityworks with office companion <23.10

Affected Sectors

Water and Wastewater Systems, Energy, Transportation Systems, Government Services and Facilities, Communications

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more