Flaws in Software Used by Hundreds of Cities and Towns Exposed Sensitive Data – Source: www.securityweek.com

Two potentially serious vulnerabilities have been found by a researcher in accounting software used by hundreds of cities and towns.

The affected application is made by Workhorse Software Services, which provides software solutions to 310 municipalities in Wisconsin. The vendor has released patches and mitigations after being notified.

The vulnerabilities, discovered by researcher James Harrold of Sparrow IT Solutions, were disclosed this week by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. 

One of the flaws, tracked as CVE-2025-9037, is an information exposure issue related to SQL server connection credentials being stored in a plaintext file that is typically in a shared network folder.

The second issue, CVE-2025-9040, is related to the availability of a database backup feature accessible from the login screen that allows the creation of an unencrypted database backup file, which can later be restored on any SQL server without a password.

This database backup can be copied by anyone with physical access to the device running the Workhorse software, or by malware present on the system.

“An attacker could obtain the complete database, potentially exposing sensitive personally identifiable information (PII) such as Social Security numbers, full municipal financial records, and other confidential data,” CERT/CC said. “Possession of a database backup could also enable data tampering, potentially undermining audit trails and compromising the integrity of municipal financial operations.”

Version 1.9.4.48019 patches the vulnerabilities and mitigations are also available. In addition to releasing patches and mitigations, Workhorse pointed out that customers have been responsible for the SQL authentication method used by the software, and the problematic backup functionality has always been optional. 

Related: Flaws in Gigabyte Firmware Allow Security Bypass, Backdoor Deployment

Related: ‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks

Related: Unpatched Ruckus Vulnerabilities Allow Wireless Environment Hacking