The Laptop Emergency Response Crew Coordination Middle (CERT/CC) has issued a vital safety advisory warning of extreme vulnerabilities in Workhorse Software program Providers’ municipal accounting software program that would allow unauthorized entry to delicate authorities monetary knowledge and personally identifiable data.
The vulnerabilities, tracked as CVE-2025-9037 and CVE-2025-9040, have an effect on all variations of the Workhorse municipal accounting software program previous to model 1.9.4.48019.
These flaws current vital dangers to municipalities utilizing the platform, probably exposing Social Safety numbers, full monetary information, and different confidential municipal knowledge to unauthorized entry.
Essential Design Flaws Allow Knowledge Theft
The safety points stem from two elementary design issues within the software program structure. The primary vulnerability, CVE-2025-9037, includes the storage of SQL Server connection strings in plaintext configuration information situated alongside the applying executable.
In typical deployments the place these directories reside on shared community folders hosted by the identical server operating the SQL database, any particular person with learn entry to the listing might probably get better database credentials if SQL authentication is configured.
The second vital flaw, CVE-2025-9040, permits unauthenticated customers to create full database backups instantly from the login display by means of the applying’s “File” menu.
This backup performance executes MS SQL Server Categorical backup operations and saves the ensuing database file inside an unencrypted ZIP archive, which might subsequently be restored to any SQL Server occasion with out requiring password authentication.
| CVE ID | Vulnerability Sort | CVSS Rating | Impression |
| CVE-2025-9037 | Info Disclosure | Not Accessible | Database credential publicity by way of plaintext storage |
| CVE-2025-9040 | Authentication Bypass | Not Accessible | Unauthenticated database backup creation and exfiltration |
The implications of those vulnerabilities prolong far past easy knowledge publicity. Attackers exploiting these flaws might probably entry full municipal databases containing delicate personally identifiable data, complete monetary information, and different confidential authorities knowledge.
Past knowledge theft issues, possession of database backups might allow malicious actors to tamper with monetary information, probably compromising audit trails and undermining the integrity of municipal monetary operations.
CERT/CC strongly recommends fast updating to software program model 1.9.4.48019.
Organizations unable to implement fast patches ought to think about a number of mitigation methods, together with limiting entry to utility directories by means of NTFS permissions, enabling SQL Server encryption with Home windows Authentication, disabling backup performance on the vendor or configuration stage, and implementing community segmentation with firewall guidelines to restrict database entry.
The vulnerabilities have been found throughout a safety audit and server set up by James Harrold of Sparrow IT Options.
The advisory, documented by CERT/CC’s Timur Snoke, was revealed on August 19, 2025, as Vulnerability Observe VU#706118, emphasizing the vital nature of those safety flaws affecting municipal authorities methods nationwide.
Discover this Information Fascinating! Comply with us on Google Information, LinkedIn, and X to Get Instantaneous Updates!
