Chinese Hackers Breach U.S. Government Networks via Trimble Cityworks Vulnerability

TL;DR

A Chinese-speaking threat actor, UAT-6382, exploited a vulnerability in Trimble Cityworks to deploy Cobalt Strike and VShell, compromising U.S. government networks. The attack highlights the need for vigilant cybersecurity measures and timely patching of software flaws.

Chinese Hackers Exploit Trimble Cityworks Flaw

A recent cybersecurity incident has revealed that a Chinese-speaking threat actor, identified as UAT-6382, successfully exploited a remote-code-execution vulnerability in Trimble Cityworks. This vulnerability, now patched and designated as CVE-2025-0944, was used to deliver Cobalt Strike and VShell, allowing the hackers to conduct reconnaissance and deploy various web shells and custom-made malware to maintain long-term access.

Details of the Attack

According to Cisco Talos researchers ¹, UAT-6382 targeted the Trimble Cityworks software, which is widely used in municipal and governmental settings for asset management. The attackers took advantage of the vulnerability to infiltrate U.S. government networks, highlighting the critical need for robust cybersecurity measures and timely patching of software flaws.

Key Tactics Employed

• Exploitation: The threat actor exploited CVE-2025-0944 to gain initial access.
• Reconnaissance: Conducted thorough reconnaissance to identify valuable targets.
• Deployment: Rapidly deployed Cobalt Strike and VShell to maintain persistent access.
• Custom Malware: Utilized custom-made malware to evade detection and maintain long-term control.

Implications and Importance

This incident underscores the ongoing threat posed by state-sponsored cyber attacks. Government agencies and organizations must prioritize cybersecurity, ensuring that all software is up-to-date and that robust monitoring systems are in place to detect and mitigate such threats.

Conclusion

The exploitation of the Trimble Cityworks vulnerability by UAT-6382 serves as a stark reminder of the importance of proactive cybersecurity measures. As the landscape of cyber threats continues to evolve, it is crucial for organizations to stay vigilant and implement comprehensive security protocols to safeguard their networks and data.

Additional Resources

For further insights, check:

• The Hacker News: Chinese Hackers Exploit Trimble Cityworks Flaw

References

1. Cisco Talos (2025). “Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks”. The Hacker News. Retrieved 2025-05-22. ↩︎