Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flaws in Software Used by Hundreds of Cities and Towns Exposed Sensitive Data

CERT/CC has disclosed the details of information exposure vulnerabilities in a Workhorse Software application after patches were released. 

Two potentially serious vulnerabilities have been found by a researcher in accounting software used by hundreds of cities and towns.

The affected application is made by Workhorse Software Services, which provides software solutions to 310 municipalities in Wisconsin. The vendor has released patches and mitigations after being notified.

The vulnerabilities, discovered by researcher James Harrold of Sparrow IT Solutions, were disclosed this week by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. 

One of the flaws, tracked as CVE-2025-9037, is an information exposure issue related to SQL server connection credentials being stored in a plaintext file that is typically in a shared network folder.

The second issue, CVE-2025-9040, is related to the availability of a database backup feature accessible from the login screen that allows the creation of an unencrypted database backup file, which can later be restored on any SQL server without a password.

This database backup can be copied by anyone with physical access to the device running the Workhorse software, or by malware present on the system.

Advertisement. Scroll to continue reading.

“An attacker could obtain the complete database, potentially exposing sensitive personally identifiable information (PII) such as Social Security numbers, full municipal financial records, and other confidential data,” CERT/CC said. “Possession of a database backup could also enable data tampering, potentially undermining audit trails and compromising the integrity of municipal financial operations.”

Version 1.9.4.48019 patches the vulnerabilities and mitigations are also available. In addition to releasing patches and mitigations, Workhorse pointed out that customers have been responsible for the SQL authentication method used by the software, and the problematic backup functionality has always been optional. 

Related: Flaws in Gigabyte Firmware Allow Security Bypass, Backdoor Deployment

Related: ‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks

Related: Unpatched Ruckus Vulnerabilities Allow Wireless Environment Hacking

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.