Introduction
The UAT-6382 threat group [5] [9], known for its Chinese-speaking hackers, is actively exploiting a critical zero-day vulnerability in Trimble Cityworks [5] [8], a widely used GIS-based asset and work order management platform [3]. This exploitation poses significant risks to local governments and utility management entities in the United States [11], potentially disrupting critical services and compromising sensitive data.
Description
Chinese-speaking hackers from the UAT-6382 threat group are actively exploiting a critical zero-day vulnerability (CVE-2025-0944) in Trimble Cityworks [5], a GIS-based asset and work order management platform widely used by local government organizations and utilities in the United States. This vulnerability, which has a CVSS v4 score of 8.6 [1] [4] [5], involves a deserialization flaw affecting Cityworks versions prior to 15.8.9 and Cityworks with Office Companion versions before 23.10 [5] [7]. It allows unauthenticated attackers to remotely execute arbitrary commands on Microsoft Internet Information Services (IIS) servers [7] [9], granting them full administrative control over Cityworks installations [11]. The exploitation poses significant risks to local governments and utility management entities [11], as it can disrupt critical services and lead to the exfiltration of sensitive geographic information system (GIS) data [11]. Since January 2025 [1] [3] [4] [5] [6] [7] [8] [9] [12], UAT-6382 has been conducting intrusions into municipal networks [12], specifically targeting systems managing utilities and infrastructure [8], including water and transportation services, resulting in successful compromises [5].
In early February 2025 [9] [10], Trimble released security patches to address this serious flaw, urging customers to promptly install the updates [7]. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0944 to its Known Exploited Vulnerabilities Catalog on February 7 [3] [6] [9], advising US federal agencies to remediate the issue within three weeks [9]. Additionally, CISA issued a sector-wide advisory on February 11 [3], urging critical infrastructure operators to update immediately [3]. In response to these incidents, the Environmental Protection Agency has alerted water and wastewater system operators to the cyber threats involving Cityworks software [2], emphasizing the importance of timely patching.
After gaining initial access [12], UAT-6382 has performed reconnaissance [12], searching for sensitive files and fingerprinting servers, while deploying various web shells [2] [6] [12], including AntSword [9], Chopper [6] [11], and Behinder [6] [11], on compromised IIS web servers. The group utilizes Rust-based loaders known as TetraLoader, which are built using a malware framework called MaLoader [1] [4], developed in December 2024 and written in Simplified Chinese. TetraLoader is designed to inject additional payloads into benign processes [5], such as notepad.exe [5], delivering Cobalt Strike beacons and VShell stagers for command and control. Evidence suggests that UAT-6382 consists of Chinese-speaking threat actors [5], as indicated by the presence of Chinese language in their tools and communications [5] [12]. The group has shown a particular interest in long-term espionage and control, conducting reconnaissance on compromised servers [5], gathering system information [1] [4], and deploying multiple backdoors using PowerShell commands [5].
VShell [1] [2] [3] [4] [5] [6] [7] [9] [10] [11] [12], a GoLang-based remote access Trojan [5] [6], allows attackers to manage files [5], execute commands [5] [9], take screenshots [5], and set up proxy services on infected systems [5], with control panels displaying Chinese text [5]. Cobalt Strike beacons connect to specific domains [1] [4], including cdn[.]lgaircon[.]xyz and www[.]roomako[.]com, while VShell stagers receive XOR-encrypted payloads and deploy Go-based implants that support full remote access Trojan (RAT) functions [4]. The exploitation of Cityworks raises concerns about municipal infrastructure risks [11], including potential disruptions to emergency response systems [11], transportation networks [8] [11], and energy grids [11]. Additionally, compromised servers could lead to the theft of sensitive GIS data [11], revealing confidential infrastructure layouts [11]. If Cityworks is integrated with other municipal platforms [11], attackers may gain access to additional government-controlled assets [11], resulting in widespread network compromise [11].
Despite the availability of security patches for CVE-2025-0944, many vulnerable systems remain unprotected [10], allowing continued access to sensitive US infrastructure [10]. An Eventus scan revealed that 21% of publicly accessible Cityworks instances were vulnerable to this flaw [7]. Organizations are advised to monitor for suspicious activity using Cisco Talos’ technical indicators of compromise (IOCs) and to utilize security products like Cisco Secure Endpoint [5], Secure Firewall [5], and Umbrella for protection against these attacks [5]. CISA has also advised users to conduct thorough threat hunting and log reviews to identify indicators of compromise. Cisco assesses with high confidence that UAT-6382 is a financially motivated threat actor [12], as evidenced by their tactics [12], techniques [2] [11] [12], and procedures (TTPs) employed during the attacks [12], highlighting the ongoing threat to critical infrastructure from targeted cyberattacks leveraging software supply chain or zero-day vulnerabilities [8].
Conclusion
The exploitation of the CVE-2025-0944 vulnerability by the UAT-6382 group underscores the critical need for timely patching and robust cybersecurity measures. The potential impacts on municipal infrastructure, including disruptions to essential services and the theft of sensitive data, highlight the urgency for organizations to address these vulnerabilities. As cyber threats continue to evolve, it is imperative for entities to remain vigilant, implement comprehensive security strategies, and ensure that all systems are up-to-date with the latest security patches to mitigate future risks.
References
[1] https://sechub.in/view/3059096
[2] https://statescoop.com/chinese-hackers-cityworks-vulnerability-malware-2025/
[3] https://rewterz.com/threat-advisory/chinese-apt-uat-6382-targets-local-governments-via-cityworks-zero-day-active-iocs
[4] https://securityaffairs.com/178203/hacking/chinese-threat-actors-exploited-trimble-cityworks-flaw-to-breach-u-s-local-government-networks.html
[5] https://hackread.com/chinese-hackers-exploit-cityworks-0day-us-local-agencies/
[6] https://fieldeffect.com/blog/china-linked-threat-actor-breaches-government-networks-with-trimble-flaw
[7] https://www.csoonline.com/article/3994082/beijing-may-have-breached-us-government-systems-before-cityworks-plugged-a-critical-flaw.html
[8] https://dailysecurityreview.com/security-spotlight/chinese-hackers-exploit-cityworks-zero-day-to-breach-u-s-local-government-systems/
[9] https://hackmag.com/news/trimble-cityworks-attacks/
[10] https://cybermaterial.com/chinese-hackers-hit-us-utilities-via-flaw/
[11] https://thecyberthrone.in/2025/05/23/chinese-uat-6382-exploits-cityworks-zero-day-vulnerability/
[12] https://www.infosecurity-magazine.com/news/chinese-hackers-cityworks-local/
