The bad actors have exploited the vulnerability since January, delivering malware to local governments and utilities groups.
Listen to this article
0:00
Learn more.
This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

Since January, Chinese-speaking hackers have launched malware attacks targeting enterprise networks of local governments by remotely exploiting a vulnerability in Trimbleās asset management software Cityworks, according to a report published Thursday by Cisco Talos.
The hackers, who have executed a collection of actions that are being tracked under the identifier UAT-6382, exploited a vulnerability in the Cityworks software that is now patched to execute āintrusions in enterprise networks of local governing bodies in the United States,ā the report said.Ā
Back in February, the Cybersecurity and Infrastructure Security Agency issued an advisory about the security vulnerability in Cityworks ā which is being tracked as CVE-2025-0994 ā stating that bad actors could gain administrative access through a customerās Internet Information Services, or IIS, a Microsoft web server often used for hosting websites, applications and services on Windows.
The Environmental Protection Agency also issued an alert in February to inform water and wastewater system owners and operators of cyber incidents involving Cityworks software, urging them to install patches and updates to their systems that run on the software immediately.
āUAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access,ā the Talos report said. āUpon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management.ā
Trimbleās Cityworks software is GIS-based, and it is used by numerous local governments, utilities organizations and public agencies across the country to manage their infrastructure and community services.
Using remote execution, the threat actors exploited the vulnerability and deployed platform attack tools like Cobalt Strike and VShell to conduct reconnaissance on systems, according to the Talos report. From there, the bad actors were able to identify and fingerprint the server, and then they utilized malicious web shells that are commonly used by Chinese-based hacking groups.Ā