Virtual Event: Threat Detection & Incident Response Summit - Watch Now

SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flaws in Software Used by Hundreds of Cities and Towns Exposed Sensitive Data

CERT/CC has disclosed the details of information exposure vulnerabilities in a Workhorse Software application after patches were released. 

Two potentially serious vulnerabilities have been found by a researcher in accounting software used by hundreds of cities and towns.

The affected application is made by Workhorse Software Services, which provides software solutions to 310 municipalities in Wisconsin. The vendor has released patches and mitigations after being notified.

The vulnerabilities, discovered by researcher James Harrold of Sparrow IT Solutions, were disclosed this week by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. 

One of the flaws, tracked as CVE-2025-9037, is an information exposure issue related to SQL server connection credentials being stored in a plaintext file that is typically in a shared network folder.

The second issue, CVE-2025-9040, is related to the availability of a database backup feature accessible from the login screen that allows the creation of an unencrypted database backup file, which can later be restored on any SQL server without a password.

This database backup can be copied by anyone with physical access to the device running the Workhorse software, or by malware present on the system.

Advertisement. Scroll to continue reading.

“An attacker could obtain the complete database, potentially exposing sensitive personally identifiable information (PII) such as Social Security numbers, full municipal financial records, and other confidential data,” CERT/CC said. “Possession of a database backup could also enable data tampering, potentially undermining audit trails and compromising the integrity of municipal financial operations.”

Version 1.9.4.48019 patches the vulnerabilities and mitigations are also available. In addition to releasing patches and mitigations, Workhorse pointed out that customers have been responsible for the SQL authentication method used by the software, and the problematic backup functionality has always been optional. 

Related: Flaws in Gigabyte Firmware Allow Security Bypass, Backdoor Deployment

Related: ‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks

Related: Unpatched Ruckus Vulnerabilities Allow Wireless Environment Hacking

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

Webinar: Third-Party Risk in Practice
June 4, 2026

Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.

Register

People on the Move

Joe Chen has become Chief Technology Officer at Trellix.

Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO.

SecureAuth has named Mark van Oppen as Chief Revenue Officer.

More People On The Move

Expert Insights

Popular Topics

Security Community

Stay Intouch

About SecurityWeek

News Tips

Got a confidential news tip? We want to hear from you.

Submit Tip

Advertising

Reach a large audience of enterprise cybersecurity professionals

Contact Us

Daily Briefing Newsletter

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.