Ethical Hacking News
US CERT/CC has disclosed two serious data exposure vulnerabilities in Workhorse Software used by hundreds of U.S. cities and towns across Wisconsin. The findings highlight a critical oversight on the part of Workhorse Software Services, emphasizing the importance of swift updates and additional security measures.
The US CERT/CC has disclosed two serious data exposure vulnerabilities in an accounting application used by hundreds of U.S. cities and towns across Wisconsin. A researcher identified the vulnerabilities, which can allow unauthorized access to sensitive data and facilitate data exfiltration. The first vulnerability (CVE-2025-9037) involves a plaintext database connection string issue that can be exploited by an attacker with read access to the directory. The second vulnerability (CVE-2025-9040) revolves around an unauthenticated database backup functionality that creates an unencrypted ZIP archive containing sensitive PII and enabling data tampering. US CERT/CC urges municipalities using Workhorse Software to update their software immediately, along with implementing additional safety measures.
US CERT/CC, a leading cybersecurity agency affiliated with Carnegie Mellon University, has recently disclosed two serious data exposure vulnerabilities in an accounting application developed by Workhorse Software Services, Inc. The software is used by hundreds of U.S. cities and towns across the state of Wisconsin, making this a significant development in the realm of local government cybersecurity.
The researcher James Harrold of Sparrow IT Solutions identified these vulnerabilities, which were subsequently reported to US CERT/CC only after the vendor had taken steps to address them. According to US CERT/CC, both vulnerabilities could allow unauthorized access to sensitive data and facilitate data exfiltration. This finding highlights a critical oversight on the part of Workhorse Software Services in ensuring the security of its software.
The first vulnerability, tracked as CVE-2025-9037, is related to a plaintext database connection string issue. The SQL Server connection string is stored in a plaintext configuration file located alongside the executable. Typically, this file is situated on a shared network folder that coincidentally shares the same server as the SQL database. If SQL authentication is used and an attacker has read access to this directory, they can recover the credentials in this file, thereby compromising the security of the system.
The second vulnerability, tracked as CVE-2025-9040, revolves around an unauthenticated database backup functionality. The app's File menu allows users to back up the database to an unencrypted ZIP archive, creating a .bak file that can be restored on any SQL Server without a password. This feature essentially provides an open door for attackers to obtain the complete database. Possession of such a database could potentially expose sensitive personally identifiable information (PII) like Social Security numbers, municipal financial records, and other confidential data.
Moreover, possessing a database backup could also enable data tampering, thereby undermining audit trails and compromising the integrity of municipal financial operations. This underscores the gravity of the situation and the urgency with which affected municipalities must address these vulnerabilities.
In light of this critical information, US CERT/CC urges all municipalities using Workhorse Software to update their software to version 1.9.4.48019 immediately. Furthermore, additional safety measures such as restricting directory access, enabling SQL encryption and Windows Authentication, disabling the backup feature, and utilizing network segmentation with firewalls to limit database access are advised.
This incident serves as a poignant reminder of the importance of vigilance and proactive steps in cybersecurity for all local governments, particularly those relying on third-party software solutions. It underscores the need for thorough assessments and regular updates to prevent similar vulnerabilities from arising.
Related Information:
https://www.ethicalhackingnews.com/articles/US-CERTCC-Discloses-Serious-Flaws-in-Workhorse-Software-Used-by-Hundreds-of-Municipalities-in-Wisconsin-ehn.shtml
https://securityaffairs.com/181363/security/us-cert-cc-warns-of-flaws-in-workhorse-software-accounting-software-used-by-hundreds-of-municipalities-in-wisconsin.html
https://www.securityweek.com/flaws-in-software-used-by-hundreds-of-cities-and-towns-exposed-sensitive-data/
https://nvd.nist.gov/vuln/detail/CVE-2025-9037
https://www.cvedetails.com/cve/CVE-2025-9037/
https://nvd.nist.gov/vuln/detail/CVE-2025-9040
https://www.cvedetails.com/cve/CVE-2025-9040/
Published: Thu Aug 21 03:27:39 2025 by llama3.2 3B Q4_K_M
