Chinese Hackers Exploit Cityworks Zero-Day to Breach US Local Governments

Quick Takeaways

1. Exploitation of Vulnerability: Chinese-speaking hackers exploited a critical deserialization vulnerability (CVE-2025-0994) in Trimble Cityworks software to breach U.S. local government networks, commencing in January 2025.

2. Advanced Malware Deployment: The hacking group UAT-6382 utilized a Rust-based malware loader to install Cobalt Strike beacons and VSHell malware, facilitating long-term access and further intrusion into systems related to utilities management.

3. Government Warnings & Patching: Trimble and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued urgent advisories for federal agencies to patch their systems within three weeks, emphasizing the high risk posed by such vulnerabilities to critical infrastructure.

4. Targeted Sectors: The targeted agencies include those involved in water, energy, transportation, and communications, highlighting the serious implications for public safety and infrastructure integrity.

The Core Issue

In January 2025, a sophisticated cyber-attack orchestrated by a Chinese-speaking hacker group known as UAT-6382 targeted various local government bodies across the United States through a critical security vulnerability in Trimble Cityworks, a Geographic Information System used for managing public assets and infrastructure. The exploited flaw, identified as CVE-2025-0994, allowed these actors to execute remote code on Microsoft Internet Information Services (IIS) servers, leading to the deployment of Rust-based malware, including Cobalt Strike beacons and VSHell malware, which facilitated persistent access through backdoors and web shells inscribed with Chinese messaging. The campaign was initially uncovered by Cisco Talos, whose researchers, Asheer Malhotra and Brandon White, documented the infiltration efforts and the attackers’ focus on utility management systems.

In response to these breaches, Trimble swiftly released security patches in early February 2025, highlighting their awareness of ongoing exploitation attempts. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), recognizing the severity of the threat, prompted federal entities to update their systems promptly, emphasizing the pressing risks associated with vulnerabilities like CVE-2025-0994. CISA’s advisories also extended to critical sectors such as water, energy, transportation, and government services, urging immediate mitigation of the threats posed by these malicious cyber actors, as they represent frequent attack vectors with potentially severe implications for national security and public welfare.

Security Implications

The exploitation of the Trimble Cityworks zero-day vulnerability poses a significant risk not only to the targeted local governments but also to a broader spectrum of businesses and organizations reliant on similar infrastructure management systems. As malicious actors gain unauthorized access through sophisticated malware tactics, the fallout can cascade across various sectors, jeopardizing critical public services such as utilities, transportation, and communications—a scenario that could result in widespread operational disruptions, financial losses, and compromised data integrity. This breach underscores the imperative for all entities employing similar technologies to adopt robust cybersecurity measures proactively; failure to do so could expose them to similar exploitation, eroding public trust, sparking regulatory scrutiny, and compelling costly remediation efforts. Consequently, the interconnected nature of modern infrastructure necessitates a collective vigilance among organizations to thwart such cyber threats, which could ultimately destabilize essential societal functions.

Possible Next Steps

Timely remediation is crucial in safeguarding public infrastructure and sensitive data from malicious breaches, such as the recent infiltration by Chinese hackers exploiting a Cityworks zero-day vulnerability.

Mitigation Strategies

1. Immediate Patch Deployment
2. Network Segmentation
3. Incident Response Plan Implementation
4. Enhanced Employee Training
5. Regular Security Audits
6. Intrusion Detection Systems
7. Vulnerability Scanning

NIST Guidance Summary
The NIST Cybersecurity Framework (CSF) underscores the importance of rapid response and recovery protocols to address vulnerabilities. For detailed directives, refer to NIST Special Publication 800-53, which provides a comprehensive catalog of security and privacy controls.

Continue Your Cyber Journey

Stay informed on the latest Threat Intelligence and Cyberattacks.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1