A vulnerability in a critical tool used by local governments across the U.S. is being exploited by Chinese-speaking hackers, according to incident responders. 

Since January, cybersecurity experts at Cisco Talos have seen Chinese hackers exploiting CVE-2025-0994 — a bug impacting Trimble Cityworks. The tool is used by local governments to manage critical infrastructure assets from one platform and organize inspections, work orders, permits, operations and more.

Both Trimble and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned in February that CVE-2025-0994 was being exploited, but Cisco Talos has confirmed that the hackers “conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access.”

“Upon gaining access, [the hackers] expressed a clear interest in pivoting to systems related to utilities management,” Cisco Talos explained in a blog on Thursday. 

The malware and other tools used during the attacks “contained messaging written in the Chinese language” and one of them was built “using a malware-builder called ‘MaLoader’ that is also written in Simplified Chinese.” While some of the tools can be configured to use limited English, most require some level of Chinese proficiency.

Based on the tools used, the tactics and the victims, Cisco Talos said they assessed with “high confidence” that the people behind the attacks were Chinese-speaking threat actors. 

Once access to a government system was achieved, the hackers looked for directories and files of interest before preparing them for exfiltration. 

Federal agencies were ordered to patch CVE-2025-0994 by February 28. The asset management system is used by many local and federal government agencies to manage infrastructure assets for airports, utilities, municipalities and counties.

In a letter to customers earlier this year, the company behind the software said notice of the vulnerability followed “investigations of reports of unauthorized attempts to gain access to specific customers' Cityworks deployments." 

CISA said Trimble reported the vulnerability to them and Symantec’s Threat Hunter team contributed to the advisory they released about the bug.