Multiple U.S. city governments have fallen victim to a sophisticated cyber infiltration campaign coordinated by Chinese-speaking hackers, who exploited a critical vulnerability in Trimble’s Cityworks asset management software. The vulnerability, designated as CVE-2025-0994, facilitated unauthorized access through Microsoft Internet Information Services (IIS), granting attackers administrative privileges across compromised municipal networks beginning in January 2025.
The campaign, tracked under identifier UAT-6382, demonstrated a clear focus on critical infrastructure components, particularly targeting water and wastewater utilities that rely heavily on Cityworks software for operations management. The attackers utilized Cobalt Strike and VShell for comprehensive system reconnaissance. The threat actors employed sophisticated phishing schemes to harvest credentials from targeted municipal employees.
After gaining initial access, the threat actors conducted extensive network reconnaissance before deploying web shells and custom malware designed for long-term covert presence within affected systems.
Initial system compromise enabled attackers to map networks and install stealthy malware for persistent unauthorized access to municipal systems.
The Cybersecurity and Infrastructure Security Agency (CISA) and Environmental Protection Agency (EPA) issued urgent security advisories warning utilities about the active exploitation, emphasizing the need for immediate patching. The attacks complement broader Chinese-linked campaigns targeting U.S. critical infrastructure sectors, including transportation and energy systems, highlighting an escalating pattern of state-sponsored cyber operations.
In response to the infiltration, Trimble released software patches and remediation guidance for the Cityworks vulnerability. Law enforcement agencies, including the Department of Justice, have intensified efforts to identify and prosecute those responsible for the attacks.
The compromise has reinforced calls for improved cybersecurity protocols and vendor risk management practices within government IT systems.
Security researchers have documented the attackers’ sophisticated tactics, which included rapid execution of malicious payloads and strategic lateral movement across compromised networks. The exploitation allowed threat actors to establish persistent access to municipal systems responsible for managing critical city infrastructure and resources.
This incident has prompted increased scrutiny of software supply chain vulnerabilities and highlighted the growing sophistication of state-sponsored cyber threats targeting U.S. government entities.
