US CERT/CC Warns of Flaws in Workhorse Software Accounting Software Used by Hundreds of Municipalities in Wisconsin
The United States Computer Emergency Response Team Coordination Center (US CERT/CC) has disclosed serious data exposure vulnerabilities in the accounting software developed by Workhorse Software, used by hundreds of U.S. cities and towns in Wisconsin.
A Threat to Sensitive Data: Flaws Discovered in Municipal Accounting Software
According to James Harrold, a researcher at Sparrow IT Solutions, who reported both vulnerabilities, the flaws found in Workhorse Software's municipal accounting software prior to version 1.9.4.48019 could allow unauthorized access to sensitive data and facilitate data exfiltration.
The Vulnerability Note published by US CERT/CC reveals that the software contains design flaws that put database connection information at risk, making it accessible to attackers who can recover credentials from a plaintext configuration file located alongside the executable. Additionally, an unauthenticated database backup functionality allows users to create unencrypted ZIP files that can be restored on any SQL Server without a password.
Plaintext Database Connection String Issue (CVE-2025-9037)
The first vulnerability is a plaintext database connection string issue tracked as CVE-2025-9037. The SQL Server connection string is stored in a plaintext configuration file located alongside the executable, which is usually found on a shared network folder on the same server as the SQL database.
If an attacker with read access to the directory can recover the credentials in this file, they could potentially use them to gain unauthorized access to sensitive data.
Unauthenticated Database Backup Functionality (CVE-2025-9040)
The second vulnerability is an unauthenticated database backup functionality tracked as CVE-2025-9040. The app's File menu lets users back up the database to an unencrypted ZIP, creating a .bak file that can be restored on any SQL Server without a password.
This feature poses a significant risk to sensitive data, including Social Security numbers, full municipal financial records, and other confidential information. An attacker could obtain the complete database, potentially exposing PII and undermining audit trails and the integrity of municipal financial operations.
Immediate Action Required
The US CERT/CC urges all users of Workhorse Software to update their software immediately to version 1.9.4.48019. Additionally, several additional safeguards can be implemented to prevent potential data breaches:
- Restrict directory access
- Enable SQL encryption and Windows Authentication
- Disable the backup feature
- Use network segmentation with firewalls to limit database access
The security of sensitive data is crucial for municipalities, and it is essential that they take immediate action to address these vulnerabilities. Users can stay informed about this issue by following the US CERT/CC on Twitter (@securityaffairs), Facebook, and Mastodon.