Summary: Researchers at Cisco Talos have observed exploitation of CVE-2025-0994, a remote code execution (RCE) vulnerability in Cityworks software, by a Chinese advanced persistent threat known as UAT-6382. WaterISAC sent an advisory to members regarding this vulnerability when it was first disclosed in early February, and CISA had mentioned that it was aware of incidents within the water sector involving this vulnerability. If you have not yet addressed this vulnerability, please act accordingly.

Analyst Note: Other open source reporting has indicated that the UAT-6382 threat group has used this same zero-day vulnerability to breach multiple local government bodies across the U.S. They used a Rust-based malware loader designed to backdoor compromised systems and provide long-term persistent access, as well as web shells and custom malicious tools written in Chinese. Additionally, Cisco Talos notes that the IOCs pertaining to their observed intrusions overlap with the IOCs listed in Trimble’s advisory from February.

WaterISAC encourages utilities to search for any indicators shared by CISA (find them attached here) and to review the information shared by Cisco Talos. Utilities that outsource technology support are urged to consult with their support vendors for assistance in recognizing and searching for these indicators and with assessing Trimble’s security advisory.

Original Source: https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/

Additional Reading:

• Chinese hackers breach US local governments using Cityworks zero-day

Mitigation Recommendations:

• (TLP:Amber) WWS Cyber Incidents Involving Cityworks Software (Updated - February 10, 2025)

Related WaterISAC PIRs: 6, 6.1, 7, 7.1, 8, 10, 10.2, 12