Vulnerabilities

Flaws in Software Used by Hundreds of Cities and Towns Exposed Sensitive Data

CERT/CC has disclosed the details of information exposure vulnerabilities in a Workhorse Software application after patches were released. 

CERT/CC has disclosed the details of information exposure vulnerabilities in a Workhorse Software application after patches were released. 

Two potentially serious vulnerabilities have been found by a researcher in accounting software used by hundreds of cities and towns.

The affected application is made by Workhorse Software Services, which provides software solutions to 310 municipalities in Wisconsin. The vendor has released patches and mitigations after being notified.

The vulnerabilities, discovered by researcher James Harrold of Sparrow IT Solutions, were disclosed this week by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. 

One of the flaws, tracked as CVE-2025-9037, is an information exposure issue related to SQL server connection credentials being stored in a plaintext file that is typically in a shared network folder.

The second issue, CVE-2025-9040, is related to the availability of a database backup feature accessible from the login screen that allows the creation of an unencrypted database backup file, which can later be restored on any SQL server without a password.

This database backup can be copied by anyone with physical access to the device running the Workhorse software, or by malware present on the system.

Advertisement. Scroll to continue reading.

“An attacker could obtain the complete database, potentially exposing sensitive personally identifiable information (PII) such as Social Security numbers, full municipal financial records, and other confidential data,” CERT/CC said. “Possession of a database backup could also enable data tampering, potentially undermining audit trails and compromising the integrity of municipal financial operations.”

Version 1.9.4.48019 patches the vulnerabilities and mitigations are also available. In addition to releasing patches and mitigations, Workhorse pointed out that customers have been responsible for the SQL authentication method used by the software, and the problematic backup functionality has always been optional. 

Related: Flaws in Gigabyte Firmware Allow Security Bypass, Backdoor Deployment

Related: ‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks

Related: Unpatched Ruckus Vulnerabilities Allow Wireless Environment Hacking

Related Content

Vulnerabilities

The security refresh resolves 13 use-after-free bugs, including two critical-severity flaws found by Google.

Vulnerabilities

Tracked as CVE-2026-11405, the vulnerability allows unauthenticated attackers to access a device's web management interface.

Artificial Intelligence

The "Rogue Agent" vulnerability could have enabled attackers to silently manipulate AI conversations, exfiltrate data, and compromise every Dialogflow CX agent within the same...

Artificial Intelligence

Researchers show how attackers can use a crafted public GitHub Issue to trick AI-powered workflows into exposing data from private repositories without authentication.

Vulnerabilities

Attackers are exploiting the critical Gitea vulnerability CVE-2026-20896 to bypass authentication with a single HTTP header and access vulnerable repositories and secrets.

Vulnerabilities

Hackers are exploiting a recently patched critical vulnerability (CVE-2026-48282) in Adobe ColdFusion that carries a CVSS score of 10/10.

Vulnerabilities

CISA says threat actors are exploiting a recently patched SharePoint remote code execution vulnerability (CVE-2026-45659).

Vulnerabilities

Fifteen of the newly patched flaws have been rated ‘critical’ and 67 have been rated ‘high severity’.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version