Are You at Risk After the Cityworks Breach? What Every Local Government Employee Needs to Know

‍

If your agency relies on Cityworks, recent news may have you on edge. A sophisticated group of hackers exploited a vulnerability in Cityworks software, affecting several local government bodies across the U.S. This breach, powered by a zero-day vulnerability (CVE-2025-0994), has put critical data at risk. Understanding what was compromised and how you can protect yourself is crucial now more than ever.

‍

What Data Points Were Leaked?

‍

When hackers broke into Cityworks, they weren’t just poking around—they were after real, valuable information. The breach led to unauthorized access to a broad range of sensitive data used by local government agencies. Here’s what was at risk:

‍

• Employee Details: Names, work emails, job titles, and in some cases, contact numbers.

• Internal Communications: Emails, memos, and files shared within and between departments.

• Infrastructure Data: Maps, blueprints, and records tied to public utilities, waterworks, and city planning.

• Service Requests and Reports: Information about city maintenance, complaints, and public works logs.

‍

How Did Hackers Get In?

‍

The attackers took advantage of a zero-day vulnerability—tracked as CVE-2025-0994—that hadn’t been patched yet. Once inside, they didn’t waste time. Using tools like Cobalt Strike and VSHell, the hackers could:

‍

• Move Laterally: Jump from one system to another, gathering more data as they went.

• Extract Data Stealthily: These tools let hackers hide their tracks, making it harder to detect the breach in real time.

• Deploy Webshells (e.g., AntSword): This gave them remote control over compromised servers, allowing ongoing access for data theft.

‍

What makes Cobalt Strike and VSHell especially dangerous? These programs are legitimate security tools, but when misused, they give attackers a powerful way to mimic real users and escalate their access quietly. It’s a bit like someone stealing a master key and walking through the building unnoticed, taking what they want.

‍

For local governments, the breach wasn’t just about losing files—it was about exposing the backbone of city operations. If your agency uses Cityworks, it’s important to understand just how much information could have been compromised.

‍

Should You Be Worried?

‍

When news breaks about a security vulnerability like the Cityworks breach (tracked as CVE-2025-0994), it’s natural to wonder, “How bad is it for me or my agency?” The answer: it’s worth your attention—maybe even a bit of healthy anxiety.

‍

What Does This Breach Mean for You?

‍

Cityworks is used by public utilities and local governments to manage everything from waterworks to public safety. If you’re an employee or IT manager, here’s what you need to consider:

‍

• Personal Information Exposure: Attackers could access sensitive employee data—think names, emails, and even credentials. This could make you a target for phishing or identity theft.

• Operational Disruption: If hackers get into the Cityworks system, they might disrupt essential services. For agencies, downtime can mean everything from delayed repairs to compromised public safety.

• Loss of Public Trust: Public-facing agencies run on trust. A breach like this can erode confidence overnight, impacting both reputation and community relationships.

‍

Why Is the Cityworks Breach Such a Big Deal?

‍

Let’s be clear: vulnerabilities in software used by critical infrastructure are not just another day at the office. Here’s why this specific incident should raise eyebrows:

‍

• Centralized Access: Cityworks connects to a lot of moving parts—asset records, work orders, and even geographic information systems (GIS). A breach here could give attackers a map of your entire operation.

• Widespread Use: Many agencies rely on Cityworks. This means a single vulnerability can ripple across cities, counties, and public utilities nationwide.

• Potential for Escalation: Attackers aren’t just after one agency. Once they’re in, they can pivot to other connected systems, amplifying the damage.

‍

Broader Implications for Public Utilities

‍

The Cityworks breach is a wake-up call for anyone managing critical infrastructure. Here’s what’s at stake:

‍

• Service Interruptions: Utilities like water, electricity, and waste management depend on systems like Cityworks. An exploit could bring parts of a city to a grinding halt.

• Safety Risks: In some cases, attackers could manipulate maintenance records or shut down systems, putting public safety at risk.

• Regulatory Consequences: Agencies may face investigations, fines, or legal action if data is compromised and protections were lacking.

‍

The Value of Proactive Protection

‍

Incidents like this underline why agencies need smart, proactive security measures. For example, Cloaked offers privacy and data protection solutions designed to shield sensitive information—even if a breach happens. By limiting what data is stored and who can access it, tools like Cloaked help prevent attackers from finding an open door in the first place.

‍

Bottom line: If you’re using Cityworks or similar platforms, it’s time to review your security practices. Don’t wait for the next headline.

‍

What Should Be Your Next Steps?

‍

Securing your systems isn’t a one-time task; it’s an ongoing responsibility. Recent incidents like the Cityworks breach have made it clear—waiting until “later” is risky business. Whether you’re running an agency or clocking in as an employee, you need a plan that’s clear, practical, and actually works.

‍

1. Patch and Update—No Excuses

‍

When a vulnerability like CVE-2025-0994 comes out, attackers move fast. So should you. Outdated software is a welcome mat for hackers. Set aside time every week to:

‍

• Install security updates for all operating systems, applications, and firmware.

• Automate patch management where possible, so you’re not relying on memory or sticky notes.

• Check vendor advisories regularly, especially for tools as central as Cityworks.

‍

Neglecting updates is like ignoring a check engine light. You might get away with it for a bit, but the cost when things go wrong is much higher.

‍

2. Strengthen Access Controls

‍

Not everyone in your organization needs access to sensitive data or admin panels. Limit permissions to only what’s necessary:

‍

• Use strong, unique passwords for every account. A password manager helps.

• Enable multi-factor authentication (MFA) everywhere it’s available—especially for critical systems.

• Review user permissions every quarter. Remove access for people who no longer need it.

‍

3. Encrypt and Protect Sensitive Data

‍

Data exposure can be catastrophic. Make sure sensitive files and communications are locked down:

‍

• Encrypt data at rest and in transit.

• Regularly back up critical data to secure, isolated locations.

• Monitor for unusual data activity that could signal a breach in progress.

‍

Tools like Cloaked can help here—offering automated data redaction and proactive leak detection. If you handle personal or regulated data, solutions like this act as an extra safety net, alerting you before information spills out.

‍

4. Educate Your Team

‍

Technology alone can’t save you if your staff isn’t paying attention.

‍

• Run regular security training that covers phishing, safe browsing, and new threats.

• Test employees with simulated attacks to spot weak points before real attackers do.

• Create a culture where reporting suspicious activity is encouraged—no one should hesitate to speak up.

‍

5. Prepare for the Worst

‍

Despite your best efforts, breaches can happen. Preparation saves chaos:

• Develop a clear incident response plan with roles and contact information.

• Run tabletop exercises so everyone knows what to do under pressure.

• Keep contact lists for vendors, law enforcement, and response partners up to date.

‍

Being ready isn’t paranoia—it’s common sense, especially when sensitive information is on the line.

‍

Take these steps seriously. No organization is too small or too big to become a target. The difference between a close call and a disaster often comes down to the basics: patching, monitoring, and keeping your people sharp.