Chinese Hackers Exploit Cityworks Zero-Day to Breach U.S. Local Governments

The cybersecurity world has been shaken by revelations of a sophisticated attack campaign targeting critical infrastructure across the United States. Chinese-speaking threat actors, designated as UAT-6382, have successfully exploited a zero-day vulnerability in Trimble Cityworks to breach multiple local government networks, marking one of the most significant infrastructure-focused cyberattacks of 2025.

Description of the Vulnerability

CVE-2025-0994 is a high-severity remote code execution vulnerability affecting Trimble Cityworks, a widely-used Geographic Information System (GIS)-based asset management platform. This software is the backbone for many local governments, utilities, and public works organizations, helping them manage public assets, handle permitting and licensing, and process work orders.

The vulnerability stems from the deserialization of untrusted data, a dangerous programming flaw that allows attackers to execute malicious code remotely on Microsoft Internet Information Services (IIS) web servers hosting Cityworks installations. This type of vulnerability is particularly insidious because it can be exploited without requiring physical access to the target systems.

(ASP based file uploader deployed by UAT-6382 – Source: Cisco Talos)

Severity of the Issue

With a CVSS score of 8.6, CVE-2025-0994 represents a critical threat to organizations running vulnerable Cityworks installations. The Cybersecurity and Infrastructure Security Agency (CISA) moved swiftly to add this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in February 2025, mandating that federal agencies patch their systems within three weeks.

The severity extends beyond the technical score. The targeted nature of these attacks against local government infrastructure raises concerns about potential disruption to essential services including water systems, transportation networks, and emergency services. The attackers demonstrated a clear interest in pivoting to utility management systems, suggesting broader strategic objectives beyond simple data theft.

How the Exploit Works

The attack begins with UAT-6382 exploiting the deserialization vulnerability in Cityworks to gain initial access to the target network. Once inside, the attackers follow a methodical approach:

Initial Reconnaissance: The threat actors execute basic system commands including ipconfig, pwd, dir, and tasklist to fingerprint the compromised server and understand the network environment.

Web Shell Deployment: Within hours of initial compromise, attackers deploy multiple web shells including AntSword, chinatso/Chopper, and Behinder. These tools, many containing Chinese-language interfaces and messages, provide persistent backdoor access to the compromised systems.

Custom Malware Installation: The attackers deploy a sophisticated Rust-based loader called TetraLoader, built using the MaLoader framework written in Simplified Chinese. This loader injects malicious payloads including Cobalt Strike beacons and VShell remote access trojans into legitimate system processes.

Data Staging and Exfiltration: Files of interest are systematically identified, enumerated, and staged in directories containing web shells for easy exfiltration.

Who is Behind the Attack

Cisco Talos researchers have attributed these attacks with high confidence to Chinese-speaking threat actors tracked as UAT-6382. Multiple indicators support this attribution:

• The web shells and custom tools contain Chinese-language interfaces and messages
• The MaLoader framework used to build TetraLoader is written in Simplified Chinese
• The VShell command-and-control panels feature Chinese interfaces
• The tactics, techniques, and procedures align with known Chinese threat group operations
• The victimology pattern focuses on U.S. critical infrastructure, consistent with state-sponsored objectives

While the specific group behind UAT-6382 has not been definitively linked to known Advanced Persistent Threat (APT) groups, the sophisticated nature of the attack and infrastructure focus suggests state-sponsored or state-adjacent actors.

Who is at Risk

The primary targets of this campaign have been local governing bodies in the United States, specifically those utilizing Trimble Cityworks for asset management. Organizations at highest risk include:

• Municipal governments and city administrations
• Public utilities and water management systems
• Transportation departments and traffic management agencies
• Public works organizations
• Emergency services coordination centers
• Infrastructure management companies

However, the risk extends beyond direct Cityworks users. The attackers demonstrated interest in pivoting to connected utility management systems, potentially affecting:

• Electrical grid operators
• Water treatment facilities
• Transportation control systems
• Emergency response networks

Any organization in the critical infrastructure sectors identified by CISA – including water and wastewater systems, energy, transportation, government facilities, and communications – should consider themselves potential targets.

Remediation Steps

Immediate Actions:

• Update Cityworks to version 15.8.9 (released January 28, 2025) or Cityworks with Office Companion version 23.10 (released January 29, 2025)
• Scan networks for indicators of compromise provided by Cisco Talos
• Review IIS server configurations and access logs for suspicious activity
• Implement network segmentation to isolate Cityworks installations from critical systems

Ongoing Security Measures:

• Configure IIS to run without local or domain administrative privileges
• Limit attachment directory root configurations to contain only necessary files
• Deploy endpoint detection and response (EDR) solutions capable of detecting web shell deployment
• Implement network monitoring to identify unusual command-and-control traffic
• Establish incident response procedures specific to critical infrastructure environments

Monitoring and Detection:

• Watch for suspicious PowerShell activity and file transfers
• Monitor for connections to known malicious domains and IP addresses
• Implement file integrity monitoring on web server directories
• Deploy network traffic analysis to detect encrypted command-and-control communications

 How CinchOps Can Secure Your Business

At CinchOps, we understand that protecting critical infrastructure requires more than just applying patches. Our comprehensive cybersecurity approach combines proactive monitoring, rapid response capabilities, and deep expertise in securing complex technology environments against sophisticated threats like the Cityworks attack.

• 24/7 Network Monitoring: Advanced threat detection specifically designed to identify sophisticated attack techniques including web shell deployment, malicious PowerShell activity, and encrypted command-and-control communications
• Endpoint Protection: Deploy cutting-edge security solutions that can detect and block custom malware like TetraLoader and prevent malicious code injection into legitimate system processes
• Infrastructure Security Assessments: Specialized evaluations of industrial control systems and asset management platforms to identify vulnerabilities before attackers can exploit them
• Incident Response Services: Response capabilities with experience handling nation-state attacks, ensuring rapid containment, evidence preservation, and compliance with federal reporting requirements
• Network Segmentation: Strategic isolation of critical systems to prevent lateral movement and limit the impact of successful breaches
• Vulnerability Management: Proactive identification and remediation of security flaws in your technology stack before they become entry points for attackers

Don’t wait for the next zero-day vulnerability to put your organization at risk. Contact CinchOps today to discuss how our managed security services can protect your critical infrastructure from advanced persistent threats, with locations serving Houston and Katy as your local partner for enterprise-grade cybersecurity protection.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: The Riskiest Connected Devices of 2025: What You Need to Know
For Additional Information on this topic: UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware

FREE CYBERSECURITY ASSESSMENT