In late February 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a critical alert regarding a ransomware attack targeting Trimble Cityworks, an asset management platform widely used by local governments and infrastructure organizations across the United States. The attack, detailed in a report by Cyber Security Hub, exploits vulnerabilities in Cityworks’ systems, enabling attackers to encrypt critical data and disrupt municipal operations. This incident, discovered in early 2025, has raised concerns about the security of software integral to managing public infrastructure, from utilities to public works.
The ransomware attack likely began with attackers exploiting a known vulnerability or using phishing tactics to gain access to Cityworks’ systems, as is common in such campaigns. Once inside, the attackers deployed ransomware to lock critical files, demanding payment for decryption keys. CISA’s advisory, released on February 26, 2025, confirmed active exploitation and urged organizations to apply patches immediately. The attack’s impact is particularly severe given Cityworks’ role in managing essential services like water systems, road maintenance, and public safety assets, potentially affecting thousands of residents in impacted municipalities.
The ransomware attack has caused significant disruptions for local governments relying on Trimble Cityworks. Affected municipalities have reported delays in service delivery, including asset maintenance and permitting processes, which could compromise public safety and infrastructure management. While specific cities impacted were not detailed in the report, the widespread use of Cityworks suggests a broad potential impact. The incident underscores the vulnerability of third-party software providers, whose compromise can create a domino effect across multiple organizations, amplifying the damage of a single breach.
This attack aligns with a troubling trend of ransomware targeting public sector entities, as seen in recent incidents like the St. Paul cyberattack in July 2025. According to CISA, ransomware remains a top cybersecurity threat, with 59% of attacks in 2025 occurring in the U.S.. The Trimble Cityworks breach highlights the risks of unpatched software and inadequate cybersecurity measures in critical infrastructure. Attackers, potentially including sophisticated groups like Black Basta, exploit these weaknesses to extort funds or disrupt services, often with severe consequences for public welfare.
CISA is working with Trimble to investigate the attack and support affected organizations, emphasizing the need for immediate patching and enhanced security measures like multi-factor authentication and regular backups. Local governments are urged to review CISA’s StopRansomware resources for mitigation strategies. This incident serves as a wake-up call for public and private entities to prioritize cybersecurity investments and vendor risk management to protect critical infrastructure. As the investigation continues, the focus remains on restoring services and preventing further exploitation of this widely used platform.
SOURCE: https://www.cshub.com/attacks/articles/cyber-attacks-data-breaches-in-february-2025