CISA is collaborating with private industry partners to respond to reports of exploitation of a vulnerability (CVE-2025-0994) discovered by Trimble impacting its Cityworks Server AMS (Asset Management System). Trimble has released security updates and an advisory addressing a recently discovered a deserialization vulnerability enabling an external actor to potentially conduct remote code execution (RCE) against a customer’s Microsoft Internet Information Services (IIS) web server. 

CISA has added CVE-2025-0994 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. 

CISA strongly encourages users and administrators to search for indicators of compromise (IOCs) and apply the necessary updates and workarounds. 

Review the following article for more information: 

The Symantec Threat Hunter team, part of Broadcom, contributed to this guidance.