Chinese Hackers Exploit Trimble Cityworks Vulnerability

A recent security analysis revealed that a Chinese-speaking threat actor group, UAT-6382, has been exploiting a patched remote-code-execution vulnerability in Trimble Cityworks, impacting enterprise networks across U.S. local governing bodies. The vulnerability, identified as CVE-2025-0944, allowed attackers to deploy custom malware, including Cobalt Strike and VShell, for persistent access to compromised systems.

Key Details

• Who: UAT-6382, a Chinese-speaking hacking group.
• What: Exploitation of CVE-2025-0944, a critical vulnerability in GIS-centric asset management software.
• When: Attacks were observed beginning January 2025.
• Where: Local government networks in the U.S.
• Why: The flaw enables remote code execution, leading to unauthorized access and potential data exfiltration.
• How: Exploitations leveraged web shells and custom malware to maintain long-term access.

Why It Matters

The exploitation of CVE-2025-0944 poses a significant risk to several critical areas:

• Enterprise Security: The successful compromise of utility management systems could lead to severe disruptions in municipal services.
• Compliance Risks: Organizations must ensure they have patched known vulnerabilities to remain compliant with security frameworks.
• Infrastructure Management: Threats like these underline the need for robust security in software dependencies, particularly in hybrid or multi-cloud environments.

Takeaway for IT Teams

IT professionals should prioritize immediate patching of vulnerable systems and review access controls to ensure no unauthorized channels remain. Monitoring network activity for signs of malicious behavior is crucial. Furthermore, they should consider revising their incident response plans to address potential threats from similar exploitation attempts.

For more infrastructure insights, visit TrendInfra.com. Stay informed about emerging threats and strategies to safeguard your network.