Chinese Hackers Exploit Cityworks Zero-Day Vulnerability in US Local Governments

The breach of US local governments by Chinese hackers exploiting a zero-day vulnerability in Cityworks software has raised significant concerns about cybersecurity in critical infrastructure. This vulnerability, identified as CVE-2025-0994, was a deserialization flaw that allowed remote code execution on Microsoft IIS servers. The attackers, a group known as UAT-6382, utilized sophisticated tools, including a Rust-based malware loader and web shells like AntSword, to maintain persistent access (Bleeping Computer). The implications of these attacks are profound, affecting sectors such as water, energy, and transportation, and highlighting the vulnerabilities in systems that manage essential public services (FortiGuard Labs).

Exploitation Techniques and Tools

The exploitation of the Cityworks zero-day vulnerability by Chinese hackers involved sophisticated techniques and tools. The primary vulnerability, identified as CVE-2025-0994, was a high-severity deserialization flaw that allowed authenticated threat actors to execute code remotely on Microsoft Internet Information Services (IIS) servers. This vulnerability was actively exploited by a Chinese-speaking threat actor group known as UAT-6382.

Malware and Tooling

The attackers utilized a variety of malware and custom tools to exploit the vulnerability. Notably, they employed a Rust-based malware loader to deploy Cobalt Strike beacons and VSHell malware, which were designed to backdoor compromised systems and provide long-term persistent access. Additionally, web shells such as AntSword and Chopper, along with generic file uploaders, were used to maintain access and execute commands on the compromised servers. These tools were often accompanied by messaging written in the Chinese language, indicating the origin of the threat actors (Bleeping Computer).

Custom Tooling and Exploit Development

The custom tooling used in these attacks included TetraLoader, built using a malware-builder called ‘MaLoader,’ which was also written in Simplified Chinese. This indicates a high level of customization and sophistication in the attack strategy, allowing the threat actors to tailor their tools specifically for the Cityworks environment. The use of custom tools suggests that the attackers had a deep understanding of the targeted systems and were able to develop exploits that could effectively bypass existing security measures (Cisco Talos Blog).

Impact on Local Governments and Infrastructure

The exploitation of the Cityworks zero-day vulnerability had significant implications for local governments and infrastructure across the United States. Cityworks is a widely used asset management and work order management software, primarily employed by local governments, utilities, and public works organizations. The breach of these systems posed a substantial risk to critical infrastructure and public services.

Targeted Sectors

The attacks targeted various sectors, including water and wastewater systems, energy, transportation systems, government services, and facilities. These sectors are critical to the functioning of local governments and the delivery of essential services to the public. By compromising these systems, the attackers could potentially disrupt operations, cause financial losses, and undermine public trust in government institutions (FortiGuard Labs).

Long-Term Access and Data Exfiltration

One of the primary objectives of the attackers was to gain long-term persistent access to the compromised systems. This allowed them to conduct reconnaissance, exfiltrate sensitive data, and potentially manipulate or disrupt operations. The use of stealthy malware implants and web shells facilitated this access, enabling the attackers to maintain a foothold in the targeted networks without detection for extended periods (Security Online).

Response and Mitigation Efforts

In response to the exploitation of the Cityworks zero-day vulnerability, several mitigation efforts were undertaken by cybersecurity agencies and the software vendor, Trimble. These efforts aimed to address the vulnerability, prevent further exploitation, and assist affected organizations in recovering from the attacks.

Patch Deployment and Advisory Issuance

Trimble released security updates to patch the CVE-2025-0994 vulnerability in early February 2025. The updates were designed to address the deserialization flaw and prevent remote code execution on affected systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued advisories, urging organizations to apply the patches immediately and warning of the significant risks posed by the vulnerability (CISA Advisory).

Indicators of Compromise and Threat Intelligence Sharing

To aid in the detection and mitigation of the attacks, Cisco Talos and Trimble released indicators of compromise (IOCs) related to the exploitation of CVE-2025-0994. These IOCs included information on the malware, web shells, and other tools used by the attackers, allowing organizations to identify potential compromises and take appropriate action. The sharing of threat intelligence was crucial in helping affected organizations understand the scope of the attacks and implement effective countermeasures (Cisco Talos Blog).

Challenges in Addressing Zero-Day Vulnerabilities

The exploitation of the Cityworks zero-day vulnerability highlights several challenges in addressing such vulnerabilities, particularly in the context of critical infrastructure and government systems.

Detection and Response

Detecting zero-day vulnerabilities and responding to their exploitation is inherently challenging due to the lack of prior knowledge and existing defenses against the specific threat. In the case of Cityworks, the attackers were able to exploit the vulnerability before it was publicly disclosed and patched, allowing them to gain initial access and establish persistence in the targeted networks. This underscores the importance of proactive threat hunting and continuous monitoring to identify and respond to suspicious activity in real-time (TechTarget).

Coordination and Collaboration

Addressing zero-day vulnerabilities requires coordination and collaboration among various stakeholders, including software vendors, cybersecurity agencies, and affected organizations. In the case of Cityworks, Trimble and CISA worked together to issue advisories and provide guidance on patching and mitigation. However, the effectiveness of these efforts depends on the timely dissemination of information and the willingness of organizations to implement recommended security measures (FortiGuard Labs).

Lessons Learned and Future Considerations

The Cityworks zero-day vulnerability exploitation provides valuable lessons and considerations for future cybersecurity efforts, particularly in the context of protecting critical infrastructure and government systems.

Importance of Patch Management

The timely application of patches and security updates is crucial in preventing the exploitation of vulnerabilities. Organizations must prioritize patch management and ensure that their systems are up-to-date with the latest security fixes. This requires a robust patch management process that includes regular vulnerability assessments, testing, and deployment of patches across all systems (Security Vulnerability).

Enhancing Threat Detection and Response Capabilities

Organizations must enhance their threat detection and response capabilities to effectively identify and mitigate zero-day vulnerabilities. This includes investing in advanced security technologies, such as intrusion detection systems, endpoint detection and response solutions, and threat intelligence platforms. Additionally, organizations should conduct regular security training and awareness programs to ensure that employees are equipped to recognize and respond to potential threats (Bleeping Computer).

Strengthening Collaboration and Information Sharing

Collaboration and information sharing among stakeholders are essential in addressing zero-day vulnerabilities and mitigating their impact. Organizations should participate in threat intelligence sharing initiatives and collaborate with industry peers, government agencies, and cybersecurity vendors to stay informed about emerging threats and vulnerabilities. This collaborative approach can enhance situational awareness and enable more effective and coordinated responses to cyber threats (The Cyber Express).

Final Thoughts

The exploitation of the Cityworks zero-day vulnerability underscores the critical need for robust cybersecurity measures in protecting local government infrastructure. The incident highlights the importance of timely patch management and the need for enhanced threat detection capabilities. Collaborative efforts between software vendors, cybersecurity agencies, and affected organizations are crucial in mitigating such threats. The lessons learned from this breach should guide future strategies to safeguard critical infrastructure against sophisticated cyber threats (Cisco Talos Blog).

References

• Bleeping Computer. (2025). Chinese hackers breach US local governments using Cityworks zero-day. https://www.bleepingcomputer.com/news/security/chinese-hackers-breach-us-local-governments-using-cityworks-zero-day/
• Cisco Talos Blog. (2025). UAT-6382 exploits Cityworks vulnerability. https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/
• FortiGuard Labs. (2025). Trimble Cityworks remote code execution attack. https://www.fortiguard.com/threat-signal-report/5997/trimble-cityworks-remote-code-execution-attack
• Security Online. (2025). Critical 0-day Cityworks flaw actively exploited by Chinese APT UAT-6382. https://securityonline.info/critical-0-day-cityworks-flaw-actively-exploited-by-chinese-apt-uat-6382/
• CISA Advisory. (2025). ICSA-25-037-04. https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04
• TechTarget. (2025). CVE-2025-0994 Trimble Cityworks vulnerability. https://thecyberexpress.com/cve-2025-0994-trimble-cityworks-vulnerability/