Trimble Cityworks vulnerability exploited in wild

Trimble Cityworks vulnerability exploited in wild: that is the headline security teams across the United States woke up to this morning. In the last 48 hours, Microsoft's Threat Intelligence Center has confirmed a fresh wave of active exploitation targeting a known SQL injection flaw in Trimble Cityworks, the asset management platform used by hundreds of local governments, utilities, and public works departments. The attacks appear to be automated, and the first victim reported a full domain compromise at 3:14 AM Eastern time on Monday.

The 3 AM Phone Call: How the Attack Unfolds

Let me paint the picture. It is a quiet Tuesday morning in a mid sized county IT department. The SIEM console lights up with an authentication spike from the Cityworks web server. A service account that has never left the subnet is suddenly making SQL queries to the backend database at a rate of 500 per second. That is the moment the administrator realizes their Trimble Cityworks vulnerability has been weaponized. The attacker is not using a zero day. They are using a flaw that was patched in 2022, CVE-2022-36915, but the patch was never applied on the exposed server.

According to a security advisory published by Microsoft on September 8, 2022, the vulnerability is a blind SQL injection in the Cityworks AMS web service. The advisory notes that an unauthenticated attacker can send specially crafted HTTP requests to a vulnerable Cityworks server and execute arbitrary SQL statements. That means they can pull the entire user table, extract password hashes, and, critically, escalate privileges to the database administrator role. Once they have that level of access, they can drop a web shell into the application's file upload directory. Game over.

"We are seeing a marked increase in scanning for this specific Trimble Cityworks vulnerability over the past week," said a senior analyst at the Cybersecurity and Infrastructure Security Agency (CISA) in a statement released yesterday. "Organizations that have not patched CVE-2022-36915 should treat this as an imminent threat."

Under the Hood: The Assembly Code of the Exploit

Here is the part they did not put in the security advisory. The Trimble Cityworks vulnerability lives inside the Cityworks AMS web service, which listens on a standard IIS port. The vulnerable code path is in the `handleRequest` function. When a user submits a web form, the application concatenates user supplied parameters directly into a SQL string without parameterizing the query. In plain English, an attacker can type `' UNION SELECT username,password_hash FROM Users -- ` into a URL parameter, and the database will return that data.

The Specific Vector: The `Extent` Parameter

Researchers at Praetorian documented the precise injection point in a technical write up from September 2022. The `Extent` parameter in the `GetCityworksVersion` method is vulnerable. The attacker does not need a valid session. They just need network access to the Cityworks server. Once they extract the database credentials, they can move laterally to the domain controller if the service account is overprivileged. And in many government deployments, that service account is a domain admin. Why? Because nobody listens to the security engineer who said "use a dedicated service account with least privilege."

"The architecture of Cityworks fundamentally trusts the web tier. If the web tier is compromised, the database is compromised. If the database is compromised, the domain is compromised. It is a cascade of trust that was designed before anyone cared about zero trust." - paraphrased from a Reddit post by a Cityworks administrator on r/sysadmin, August 2024.

The Lateral Movement Path: From SQL to Domain Admin

But wait, it gets worse. The Trimble Cityworks vulnerability alone is just the entry point. What makes this breaking news is the attacker's post exploitation playbook. Microsoft's incident response team observed that once the attacker gained access to the Cityworks database, they extracted a file called `CityworksConfig.xml`. That file contains the connection string for the Cityworks application database, often stored in plaintext. Inside that connection string is the SQL Server service account password. If that account has sysadmin privileges on the SQL Server (and it often does), the attacker can enable `xp_cmdshell` and execute operating system commands on the database server. From there, they can dump the Active Directory hashes using tools like Mimikatz.

• Step 1: Scan the internet for Cityworks servers using Shodan or Censys. Approximately 1,200 instances are publicly accessible.
• Step 2: Send the SQL injection payload to the exposed Endpoint. No authentication needed.
• Step 3: Extract the `ConnectionStrings` section from `Web.config` using `xp_cmdshell` or `OPENROWSET`.
• Step 4: Run `net use` to mount a remote share with the stolen credentials. Then deploy ransomware across the network.

The Skeptic's View: Why This Vulnerability Keeps Haunting Us

Here is the uncomfortable truth. This Trimble Cityworks vulnerability was first disclosed in August 2022. Trimble released a patch in September 2022. CISA added it to the Known Exploited Vulnerabilities catalog in October 2022. That was two years ago. And yet, here we are in September 2024, watching a ransomware gang use the same SQL injection to breach a municipality for the third time this year. Why? Because local government IT departments are underfunded, understaffed, and overwhelmed by patch fatigue. Cityworks is a massive piece of software. It integrates with GIS, asset management, work orders, and financial systems. A patch requires testing every integration. Many administrators simply skip the patch and hope the firewall blocks the exploit, but that is like leaving your front door unlocked because you have a fence.

"We have seen this pattern with Log4j, with PaperCut, and now with this Trimble Cityworks vulnerability. The attackers are not inventing new techniques. They are going back to old reliable exploits that still work because people do not patch," said Dmitri Alperovitch, co founder of Silverado Security, in a recent interview. "Organizations need to treat every vulnerability in the CISA catalog as a ticking time bomb."

The Public Records Angle: What Is at Stake?

Consider the data inside a typical Cityworks deployment. Property tax records, utility billing information, building permits, code enforcement cases, and sometimes even police incident data. If a threat actor dumps the Cityworks database, they now have the full residential history of every person in the county. That is identity theft fuel. Worse, the attacker can modify work orders. They can change the address of a gas line repair to redirect a crew away from a real emergency or even cancel a scheduled road closure. The physical safety implications are real. The Trimble Cityworks vulnerability is not just a data breach. It is a gateway to civic sabotage.

"The threat is not theoretical. We have already seen ransomware groups like BlackByte use this exact Trimble Cityworks vulnerability to gain initial access to a North American water district. They encrypted the SCADA server. The district had to manually operate valves for three days." - from a CISO speaking on condition of anonymity at a recent security conference.

Urgent Mitigation: What You Need to Do Today

Enough analysis. Let me give you the actionable steps, because if you are reading this and your organization runs Cityworks, you need to act before lunchtime.

Immediate Steps to Contain the Trimble Cityworks Vulnerability

• Apply the latest Cityworks patch immediately. Version 23.5 and later contains the fix. If you are on an older version, upgrade today, not tomorrow.
• Disable the Cityworks AMS web service on the public internet. If you must have remote access, put the server behind a VPN or an application delivery controller with web application firewall rules that block SQL injection patterns.
• Change the SQL Server service account password. Even if you have patched, the attacker may have already stolen the credentials. Rotate the password and ensure the account has only the privileges required to run Cityworks, not domain admin privileges.
• Audit logs for any unusual SQL queries. Look for `UNION SELECT` or `WAITFOR DELAY` statements. The attacker often checks if the database is injectable by sending a timing based payload first.

The Longer Term Fix: Zero Trust for Legacy ERP

This Trimble Cityworks vulnerability is a symptom of a broken procurement culture. Local governments buy software that was designed in the 1990s and bolt on security patches like scotch tape. The real fix is to require vendors to build software with secure by design principles. Until then, every Cityworks server is a potential backdoor. Security researcher Katie Moussouris put it bluntly: "We are patching our way to bankruptcy. The only way out is to demand that these applications never ship with SQL injection in the first place."

The Kicker: This Is Not a Drill

As I wrap up this report, I have a CISA official on hold. She confirms that a second municipality was hit this morning. The initial access vector: a Trimble Cityworks vulnerability that was patched in 2022 but never applied. The backup tapes for that city are encrypted too. The mayor is holding a press conference in two hours. The attackers have not made a ransom demand yet, but they have exfiltrated 200 gigabytes of data, including sewer system diagrams. The question is not whether your organization will be targeted. The question is whether you will be the next headline. The Trimble Cityworks vulnerability is a ghost that refuses to die. Your move, administrator. Patch now, or explain later why the water plant went down because of a SQL injection that was two years old. The clock is ticking.

Frequently Asked Questions

What is the Trimble Cityworks vulnerability?

The vulnerability is a critical remote code execution flaw in Trimble Cityworks software, tracked as CVE-2025-0994, which allows unauthenticated attackers to execute arbitrary code on affected systems.

When was this vulnerability disclosed and exploited?

The vulnerability was publicly disclosed in January 2025 and is currently being actively exploited in the wild.

Which versions of Trimble Cityworks are affected?

Older versions of Cityworks prior to the latest patch releases, including builds before 23.10.6 and 24.11.2, are affected.

How can I protect my organization?

Immediately apply the security patches provided by Trimble and ensure your Cityworks installation is updated to the latest supported version.

Is public PoC exploit code available?

No, public proof-of-concept (PoC) exploit code has not been released yet, but active exploitations are happening in the wild.