Chinese Threat Actors Exploited Trimble Cityworks Flaw to Breach U.S. Local Government Networks
A Chinese-speaking threat actor, identified as UAT-6382, has been exploiting a patched vulnerability in Trimble Cityworks to gain unauthorized access into U.S. local government networks.
Exploitation of CVE-2025-0994: A Deserialization of Untrusted Data Issue
The vulnerable Trimble Cityworks software uses a deserialization mechanism, which allows users to convert object streams into native data types. However, this feature can be exploited by attackers using crafted data to achieve remote code execution.
In February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Trimble Cityworks vulnerability, CVE-2025-0994, to its Known Exploited Vulnerabilities catalog. This acknowledgment highlights the severity of this issue and serves as a warning to local governments using the software.
UAT-6382's Campaign: Deploying Cobalt Strike and VShell Malware
Since January 2025, UAT-6382 has successfully exploited CVE-2025-0994 to breach multiple U.S. local government networks. The attackers deployed Chinese-language web shells and custom malware, specifically targeting utility systems.
By using the Cobalt Strike and VShell tools, the threat actors were able to maintain long-term persistent access to compromised systems. Additionally, they employed Rust-based loaders called "TetraLoader," built using a recently publicly available malware building framework called "MaLoader."
Tactics, Techniques, and Procedures Used by UAT-6382
During their campaigns, UAT-6382 employed several TTPs to achieve their objectives. They post-compromise activity involves rapidly deploying web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers.
Furthermore, they used Rust-based loaders, including TetraLoader, which is built using MaLoader. This suggests a high level of sophistication and organization among the threat actors.
Conclusion: The Importance of Patching and Vigilance
The exploitation of CVE-2025-0994 highlights the importance of staying up-to-date with patch releases for critical software like Trimble Cityworks. Local governments must prioritize vulnerability management to prevent similar attacks in the future.
Stay Informed and Secure
To stay informed about emerging threats and vulnerabilities, follow us on Twitter: @securityaffairs and Facebook. Additionally, you can find our indicators of compromise (IOCs) in our GitHub repository.