Asset management software Cityworks had a security flaw

The Cybersecurity and Infrastructure Security Agency on Thursday issued an advisory that Cityworks, asset management software developed by the Colorado technology firm Trimble, contained a security vulnerability that risked bad actors gaining administrative access.

Trimble discovered that its Cityworks application, which allows municipalities to map their infrastructure projects — integrating public utilities such as electric, gas and water, with spatial mapping, permits and licenses — had “overprivileged Internet Information Services identity permissions.”

“This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services web server,” the advisory warns, adding that the flaw could be weaponized in real-world attacks on utilities.

Internet Information Services, or IIS, is a Microsoft web server used for hosting websites, applications and services on Windows.

Among the most common remote code executions are injection attacks, in which bad actors use input forms or other means to trick systems into running malicious code.

Trimble released an updated version to its Cityworks software on Jan. 29 after an internal investigation showed “unauthorized attempts to gain access to specific customers’ Cityworks deployments,” according to an undated company memo.

“Trimble has some observed that some on-premise deployments may have overprivileged Internet Information Services identity permissions,” the email read. “Trimble recommends the attachment directory root configuration be limited to folders/subfolders which only contain attachments.”