The Computer Emergency Response Team Coordination Center (CERT/CC) has issued a critical security advisory warning of severe vulnerabilities in Workhorse Software Services’ municipal accounting software that could enable unauthorized access to sensitive government financial data and personally identifiable information.
The vulnerabilities, tracked as CVE-2025-9037 and CVE-2025-9040, affect all versions of the Workhorse municipal accounting software prior to version 1.9.4.48019.
These flaws present significant risks to municipalities using the platform, potentially exposing Social Security numbers, complete financial records, and other confidential municipal data to unauthorized access.
Critical Design Flaws Enable Data Theft
The security issues stem from two fundamental design problems in the software architecture. The first vulnerability, CVE-2025-9037, involves the storage of SQL Server connection strings in plaintext configuration files located alongside the application executable.
In typical deployments where these directories reside on shared network folders hosted by the same server running the SQL database, any individual with read access to the directory could potentially recover database credentials if SQL authentication is configured.
The second critical flaw, CVE-2025-9040, allows unauthenticated users to create complete database backups directly from the login screen through the application’s “File” menu.
This backup functionality executes MS SQL Server Express backup operations and saves the resulting database file within an unencrypted ZIP archive, which can subsequently be restored to any SQL Server instance without requiring password authentication.
| CVE ID | Vulnerability Type | CVSS Score | Impact |
| CVE-2025-9037 | Information Disclosure | Not Available | Database credential exposure via plaintext storage |
| CVE-2025-9040 | Authentication Bypass | Not Available | Unauthenticated database backup creation and exfiltration |
The implications of these vulnerabilities extend far beyond simple data exposure. Attackers exploiting these flaws could potentially access complete municipal databases containing sensitive personally identifiable information, comprehensive financial records, and other confidential government data.
Beyond data theft concerns, possession of database backups could enable malicious actors to tamper with financial records, potentially compromising audit trails and undermining the integrity of municipal financial operations.
CERT/CC strongly recommends immediate updating to software version 1.9.4.48019.
Organizations unable to implement immediate patches should consider several mitigation strategies, including restricting access to application directories through NTFS permissions, enabling SQL Server encryption with Windows Authentication, disabling backup functionality at the vendor or configuration level, and implementing network segmentation with firewall rules to limit database access.
The vulnerabilities were discovered during a security audit and server installation by James Harrold of Sparrow IT Solutions.
The advisory, documented by CERT/CC’s Timur Snoke, was published on August 19, 2025, as Vulnerability Note VU#706118, emphasizing the critical nature of these security flaws affecting municipal government systems nationwide.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
