CERT/CC disclosed serious data exposure vulnerabilities in Workhorse Software used by hundreds of U.S. cities and towns.
CERT Coordination Center (CERT/CC) at Carnegie Mellon University disclosed two serious data exposure flaws in an accounting application developed by Workhorse Software’s, and used by hundreds of U.S. cities and towns.
CERT/CC disclosed the vulnerabilities only after the vendor had addressed them.
The researcher James Harrold of Sparrow IT Solutions reported both vulnerabilities, which affect software before version 1.9.4.48019
“Workhorse Software Services, Inc municipal accounting software prior to version 1.9.4.48019 contains design flaws that could allow unauthorized access to sensitive data and facilitate data exfiltration.” reads the Vulnerability Note published by CERT/CC. “Specifically, database connection information is stored in plaintext alongside the application executable, and the software allows unauthenticated users to create unencrypted database backups from the login screen.”
Workhorse Software Services provides software solutions to hundreds of municipalities in Wisconsin.
The first vulnerability is a plaintext database connection string issue tracked as CVE-2025-9037. The SQL Server connection string is stored in a plaintext configuration file located alongside the executable. The directory is usually located on a shared network folder on the same server as the SQL database. If SQL authentication is used, an attacker with read access to the directory can recover the credentials in this file.
The second vulnerability is an unauthenticated database backup functionality tracked as CVE-2025-9040. The app’s File menu lets users back up the database to an unencrypted ZIP, creating a .bak file that can be restored on any SQL Server without a password.
“An attacker could obtain the complete database, potentially exposing sensitive personally identifiable information (PII) such as Social Security numbers, full municipal financial records, and other confidential data.” continues the Vulnerability Note. “Possession of a database backup could also enable data tampering, potentially undermining audit trails and compromising the integrity of municipal financial operations.”
CERT/CC urges updating Workhorse Software to version 1.9.4.48019 immediately. Additional safeguards include restricting directory access, enabling SQL encryption and Windows Authentication, disabling the backup feature, and using network segmentation with firewalls to limit database access.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CERT/CC)
