Critical Vulnerabilities in Workhorse Software Expose Municipal Data: CERT/CC Issues Urgent Warning
CERT/CC reveals critical vulnerabilities in Workhorse Software's accounting systems, used by hundreds of U.S. municipalities. Learn about the risks, affected versions, and recommended actions to secure sensitive data.
TL;DR
The CERT Coordination Center (CERT/CC) has disclosed two critical vulnerabilities in Workhorse Software’s municipal accounting systems, affecting hundreds of U.S. cities and towns. These flaws—plaintext storage of database credentials and unauthenticated database backup functionality—could expose sensitive personally identifiable information (PII), financial records, and enable data tampering. Immediate updates and security measures are strongly recommended.
Critical Vulnerabilities in Workhorse Software Expose Municipal Data
The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has issued an urgent warning about two severe vulnerabilities in Workhorse Software’s accounting application, widely used by hundreds of municipalities in Wisconsin and across the U.S.. These vulnerabilities, if exploited, could lead to unauthorized access to sensitive data, data exfiltration, and compromised financial integrity.
The vulnerabilities were responsibly disclosed by James Harrold, a researcher at Sparrow IT Solutions, and affect software versions prior to 1.9.4.48019.
Details of the Vulnerabilities
1. Plaintext Storage of Database Credentials (CVE-2025-9037)
- Issue: The SQL Server connection string is stored in a plaintext configuration file alongside the application executable.
- Risk: Attackers with read access to the directory (often located in a shared network folder) can retrieve database credentials, enabling unauthorized access to the SQL database.
- Impact:
- Exposure of sensitive PII, including Social Security numbers.
- Potential financial data breaches.
- Risk of data tampering and audit trail compromise.
2. Unauthenticated Database Backup Functionality (CVE-2025-9040)
- Issue: The application’s File menu allows unauthenticated users to create unencrypted database backups from the login screen.
- Risk: Attackers can download the entire database as a .bak file, which can be restored on any SQL Server without a password.
- Impact:
- Complete exposure of municipal financial records.
- Potential for large-scale data exfiltration.
- Risk of fraud and financial manipulation.
CERT/CC’s Recommendations for Mitigation
To address these vulnerabilities, CERT/CC strongly advises the following actions:
- Immediate Software Update
- Upgrade to Workhorse Software version 1.9.4.48019 or later to patch the vulnerabilities.
- Enhanced Security Measures
- Restrict directory access to prevent unauthorized retrieval of configuration files.
- Enable SQL encryption to protect data in transit and at rest.
- Use Windows Authentication instead of SQL authentication to reduce credential exposure.
- Disable the backup feature if not essential.
- Implement network segmentation and firewalls to limit access to the database.
Why This Matters
Municipalities rely on Workhorse Software for critical financial operations, including tax collection, payroll, and budget management. The exposure of such vulnerabilities poses a significant risk to:
- Public trust in local government institutions.
- Financial stability of cities and towns.
- Compliance with data protection regulations.
Failure to address these vulnerabilities could lead to legal repercussions, financial losses, and reputational damage.
Conclusion
The discovery of these vulnerabilities underscores the critical importance of cybersecurity in municipal software systems. Organizations using Workhorse Software must act immediately to apply patches and implement additional security measures to safeguard sensitive data.
As cyber threats continue to evolve, proactive vulnerability management and regular security audits are essential to prevent data breaches and ensure operational resilience.
Additional Resources
For further insights, check:
Follow for more updates:
- Twitter: @securityaffairs
- Facebook: Security Affairs
- Mastodon: @securityaffairs