In a concerning development for US critical infrastructure, Chinese-speaking hackers have successfully infiltrated local government utilities across the United States, utilizing a zero-day vulnerability in Trimble Cityworks software.
This vulnerability, known as CVE-2025-0994, received a high severity rating of 8.6 on the Common Vulnerability Scoring System (CVSS) and was disclosed and patched in February 2025. Nevertheless, the exploitation had begun in January, allowing attackers initial access through compromised authenticated user accounts on Microsoft Internet Information Services (IIS) servers hosting the Cityworks software.
The intrusions were characterized by the deployment of webshells and custom malware, which facilitated prolonged, stealthy access to the affected networks. According to the US Cybersecurity and Infrastructure Security Agency (CISA), this active exploitation posed significant risks to operational technology and industrial control systems (ICS) environments, particularly impacting small public water and power utilities that are integral to the broader infrastructure. These attacks underscore Beijing’s interest in U.S. economic data as they infiltrate crucial components of the nation’s infrastructure.
The deployment of webshells and custom malware poses critical risks to essential utilities and infrastructure networks.
Targeting local governmental bodies, the hackers aimed to establish footholds within less-defended utilities before potentially escalating their attacks to larger networks. Talos threat intelligence group expert analysis from Cisco Talos has attributed the group behind these intrusions to Chinese state-sponsored activities, indicating their strategic focus on intelligence gathering rather than immediate disruption. Their approach included pre-positioning within networks for extended periods, often exceeding 300 days. The average data breach cost of $4.45 million in 2023 highlights the potential financial impact of such intrusions.
Such infections raise alarms not only for data intelligence but for the future operational integrity of critical resources like power grids and water delivery systems.
In spite of the availability of patches for the vulnerability, many systems remain unprotected because of inadequate cybersecurity practices. The exploitation involved insecure deserialization, allowing for remote execution of arbitrary code within targeted systems, highlighting the ongoing risks posed by legacy IIS servers still prevalent in critical US infrastructure.
These events illuminate the urgent need for municipalities to improve their cybersecurity measures and patch vulnerabilities quickly, as the threat environment continues to evolve with sophisticated tactics employed by cyber adversaries.
