Chinese Hackers Exploit Cityworks Zero-Day Vulnerability to Compromise U.S. Local Government Systems

Chinese-speaking cyber adversaries have successfully exploited a now-resolved zero-day vulnerability in Trimble Cityworks, affecting multiple local government entities across the United States.

Trimble Cityworks is a Geographic Information System (GIS)-based asset management and work order management software, extensively utilized by local governments, public utilities, and civil infrastructure organizations. The software is designed to facilitate the management of public assets, permitting, licensing, and the processing of work orders.

The hacking group, identified as UAT-6382, deployed a Rust-based malware loader to facilitate the execution of Cobalt Strike beacons and VSHell malware. These tools were engineered to create backdoors in compromised systems, ensuring long-term access, alongside web shells and various custom malicious tools developed in Chinese.

According to Cisco Talos, the initial reconnaissance activities within the compromised networks were first noted in January 2025. The security researchers, Asheer Malhotra and Brandon White, reported that the group exhibited a pronounced interest in infiltrating utilities management systems. Among the identified web shells were AntSword, chinatso/Chopper, and various generic file uploaders—strongly indicative of messages articulated in the Chinese language. Additionally, the custom utility TetraLoader was constructed using a malware-building framework known as ‘MaLoader,’ also developed in Simplified Chinese.

Immediate Action Required for Federal Agencies

The vulnerability leveraged in this series of attacks, numbered CVE-2025-0994, is categorized as a high-severity deserialization flaw. This defect permits authenticated threat actors to execute code remotely on targets running Microsoft Internet Information Services (IIS) servers.

In early February 2025, Trimble issued a patch for this vulnerability while cautioning that malicious actors were actively attempting to exploit CVE-2025-0994 to compromise Cityworks installations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently included CVE-2025-0994 in its catalog of actively exploited vulnerabilities on February 7 and mandated that federal agencies must implement the necessary patches within a three-week timeframe, as outlined by the Binding Operational Directive (BOD) 22-01 established in November 2021.

CISA emphasized that such vulnerabilities frequently serve as attack vectors for malicious cyber actors, posing significant risks to federal operations. Just days later, on February 11, CISA disseminated an advisory, urging organizations involved in water and wastewater systems, energy, transportation, government services, and communications sectors to “install the updated version immediately” to mitigate potential threats.