Since January, Chinese-speaking hackers have actively exploited a serious vulnerability in Trimble’s Cityworks software to deliver malware to U.S. local governments and utilities. The vulnerability, now identified as CVE-2025-0994, allowed the attackers to gain remote administrative access via Microsoft’s Internet Information Services (IIS) — a widely used web server on Windows systems.
Cybersecurity firm Cisco Talos published a report identifying the group behind the attacks as UAT-6382. These Chinese hackers exploited the Cityworks vulnerability to breach enterprise networks and deploy malware that allowed them to maintain long-term access.
“UAT-6382 successfully exploited CVE-2025-0994, conducted reconnaissance, and rapidly deployed a variety of web shells and custom-made malware,” Talos reported. Once inside, the group focused on systems related to utilities management — a critical component of municipal infrastructure.
Federal Alerts and Security Warnings Issued for CVE-2025-0994
In February, the Cybersecurity and Infrastructure Security Agency (CISA) issued a formal advisory warning organizations of the Cityworks vulnerability. Around the same time, the Environmental Protection Agency (EPA) issued an alert to water and wastewater systems, advising immediate patching of systems running Cityworks software to prevent compromise.
The attackers used remote code execution to deploy well-known post-exploitation tools like Cobalt Strike and VShell, both commonly used by Chinese state-affiliated threat groups. These tools allowed them to fingerprint servers and execute malicious web shells, effectively gaining persistent access to sensitive systems.
Cityworks, a GIS-based asset management platform by Trimble, is widely adopted by local governments, public agencies, and utilities across the United States. Its role in managing infrastructure and community services makes it a high-value target. The fact that Chinese hackers leveraged the Cityworks vulnerability to gain unauthorized access raises concerns about the cybersecurity posture of public sector technology systems.
Conclusion
Security experts are urging all organizations using Cityworks to immediately apply the latest patches and conduct thorough system audits.
Exploiting this vulnerability shows the continued targeting of local government systems by foreign adversaries and highlights the urgent need for improved cyber defense measures.
