CVE-2025-0994 Trimble CVE debrief

Who should care

Trimble Cityworks administrators, security teams responsible for Cityworks deployments, and incident responders tracking CISA KEV items.

Technical summary

The supplied corpus identifies a deserialization vulnerability in Trimble Cityworks. No CVSS score or exploit mechanics are provided in the supplied sources. CISA's KEV entry confirms known exploitation and directs organizations to apply vendor mitigations or discontinue use of the product if mitigations are unavailable.

Defensive priority

Urgent: CISA KEV-listed and due for remediation by 2025-02-28 according to the supplied timeline.

Recommended defensive actions

• Review the Trimble customer communication and CISA advisory referenced in the source metadata for vendor mitigation steps.
• Apply Trimble-recommended mitigations as soon as possible.
• If mitigations are unavailable or cannot be applied, discontinue use of Cityworks per CISA guidance.
• Inventory all Cityworks instances and confirm which systems are affected.
• Prioritize remediation before the CISA KEV due date of 2025-02-28.
• Monitor official vendor and CISA guidance for updates and verify whether any systems show signs of compromise.

Evidence notes

This debrief is based only on the supplied official and authoritative sources: the CVE record, NVD detail page, CISA KEV catalog entry, and the KEV source feed snapshot. The source corpus confirms the vulnerability name, product, vendor, KEV status, and dates (published/modified 2025-02-07; KEV due date 2025-02-28). It does not supply a CVSS score, exploit chain details, or impact specifics beyond the deserialization classification and known-exploitation status.

Official resources