Report: Chinese hackers used Cityworks vulnerability to deliver malware
Since January, Chinese-speaking hackers have launched malware attacks targeting enterprise networks of local governments by remotely exploiting a vulnerability in Trimble’s asset management software Cityworks, according to a report published Thursday by Cisco Talos.
The hackers, who have executed a collection of actions that are being tracked under the identifier UAT-6382, exploited a vulnerability in the Cityworks software that is now patched to execute “intrusions in enterprise networks of local governing bodies in the United States,” the report said.
Back in February, the Cybersecurity and Infrastructure Security Agency issued an advisory about the security vulnerability in Cityworks — which is being tracked as CVE-2025-0994 — stating that bad actors could gain administrative access through a customer’s Internet Information Services, or IIS, a Microsoft web server often used for hosting websites, applications and services on Windows.
The Environmental Protection Agency also issued an alert in February to inform water and wastewater system owners and operators of cyber incidents involving Cityworks software, urging them to install patches and updates to their systems that run on the software immediately.
“UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access,” the Talos report said. “Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management.”
Trimble’s Cityworks software is GIS-based, and it is used by numerous local governments, utilities organizations and public agencies across the country to manage their infrastructure and community services.
Using remote execution, the threat actors exploited the vulnerability and deployed platform attack tools like Cobalt Strike and VShell to conduct reconnaissance on systems, according to the Talos report. From there, the bad actors were able to identify and fingerprint the server, and then they utilized malicious web shells that are commonly used by Chinese-based hacking groups.
