A sophisticated cyber threat actor, designated UAT-6382, has been identified as actively exploiting a zero-day vulnerability in Cityworks, a widely deployed municipal asset management system. This vulnerability, tracked as CVE-2025-0994, enables unauthenticated remote code execution (RCE), granting attackers full administrative control over Cityworks servers. The exploitation of this flaw raises serious concerns for local governments, infrastructure providers, and utility management entities, as attackers can potentially disrupt critical services and exfiltrate sensitive GIS-related data.
Threat intelligence reports indicate UAT-6382 is linked to a Chinese-speaking cyber espionage group, employing custom malware loaders, sophisticated web shells, and persistence techniques reminiscent of known nation-state tactics. Security researchers emphasize the urgency of patching Cityworks deployments immediately to prevent widescale intrusions.
1. CVE-2025-0994 – Technical Breakdown of the Zero-Day Exploit
🛑 Key Details
- Vulnerability Type: Remote Code Execution (RCE) via Deserialization of Untrusted Data
- CVSS Severity Score: 8.6 (High Severity)
- Affected Component: Cityworks GIS-Centric Asset Management Software
- Impact: System Takeover, Data Theft, and Persistent Network Access
- Exploitation Status: Confirmed active exploitation in the wild
📌 How the Attack Works
🔹 Initial Exploitation – Attackers utilize CVE-2025-0994 to craft malicious payloads, executing arbitrary commands remotely on Cityworks servers.
🔹 Web Shell Deployment – Upon successful intrusion, UAT-6382 installs AntSword, Chopper, and Behinder web shells, commonly employed by Chinese cyber espionage units.
🔹 Rust-Based Malware Loaders – To evade detection, attackers deploy TetraLoader, a Rust-based loader leveraging MaLoader, a custom framework written in Simplified Chinese to inject additional payloads.
🔹 Long-Term Persistence via Cobalt Strike & VShell – The attackers maintain continuous access using Cobalt Strike beacons and a Go-based remote access toolkit, VShell, allowing them to execute commands, extract files, and manipulate system settings.
Security analysts warn that UAT-6382’s methods mirror past cyberattacks targeting critical government infrastructures, underscoring the urgency of mitigation measures.
2. Affected Systems & Vulnerability Exposure
🖥️ Vulnerable Cityworks Deployments
📌 Cityworks instances running on Microsoft IIS servers are the primary targets, as attackers exploit IIS-specific web shells to establish persistence.
⚠️ Why This Vulnerability Poses a Severe Threat
🚀 Municipal Infrastructure Risks – Attackers can disrupt citywide utilities, affecting emergency response systems, transportation networks, and energy grids.
🚀 Sensitive Data Theft – Exploited servers could be leveraged to exfiltrate geographic information system (GIS) data, exposing confidential infrastructure layouts and operational workflows.
🚀 Supply Chain Weaknesses – If Cityworks integrates with other municipal platforms, attackers may pivot into additional government-controlled assets, leading to widespread network compromise.
3. Recommended Security Measures
✅ Immediate Mitigation Strategies
- Apply Cityworks Security Patches Immediately – Trimble has released official updates to remediate CVE-2025-0994. Administrators must verify patch deployment across all systems.
- Implement Web Application Firewalls (WAFs) – Enforce WAF rules to block malicious payload injections targeting Cityworks endpoints.
- Monitor for Indicators of Compromise (IoCs) – Regularly audit system logs for unexpected web shell installations, unauthorized API calls, and abnormal network traffic originating from Cityworks instances.
- Restrict External Access to Cityworks Servers – Limit exposure by applying strict access controls, disabling unnecessary remote administration features, and hardening firewall policies.
- Enhance Endpoint Detection & Response (EDR) – Deploy advanced threat monitoring solutions capable of flagging unusual authentication requests and persistence mechanisms linked to cyber espionage.
Cybersecurity teams should also conduct proactive vulnerability assessments to validate system configurations and identify potential attack vectors before exploitation occurs.
4. Conclusion & Next Steps
🔴 UAT-6382’s exploitation of Cityworks highlights the escalating trend of state-sponsored cyber operations targeting municipal and government infrastructure. Immediate remediation is necessary to prevent service disruptions, data breaches, and long-term intrusion persistence.
📢 Critical Action Steps:
✔️ Apply official security updates from Trimble to mitigate CVE-2025-0994.
✔️ Strengthen network segmentation to prevent attackers from pivoting into other enterprise systems.
✔️ Conduct security audits to identify unauthorized modifications and suspicious activity.
