Top Highlights
- Two serious vulnerabilities in Workhorse Software used by 310 Wisconsin municipalities could expose sensitive data, including Social Security numbers and municipal financial records.
- The flaws involve storing SQL credentials in plaintext and an accessible unencrypted database backup feature, both risking data theft and tampering.
- CERT/CC and the vendor have released patches (version 1.9.4.48019) and mitigations; the problematic backup feature is optional and the password storage issue relates to the SQL authentication method in use.
- Attacks could occur via physical access or malware, potentially compromising the integrity of municipal financial operations and privacy.
Key Challenge
A researcher named James Harrold from Sparrow IT Solutions uncovered two serious security flaws in the accounting software produced by Workhorse Software Services, which is used by over 300 municipalities in Wisconsin. These vulnerabilities, disclosed publicly through the CERT Coordination Center at Carnegie Mellon University, compromise sensitive data and the integrity of municipal financial records. The first flaw, CVE-2025-9037, exposes SQL server connection credentials stored in plaintext files, making it easier for attackers who gain system access to retrieve these credentials. The second, CVE-2025-9040, involves a backup feature accessible from the login screen that allows unencrypted database backups, which can be stolen or accessed locally or via malware, potentially enabling hackers to extract or manipulate data such as Social Security numbers and municipal finances. In response, Workhorse has released version 1.9.4.48019 with patches, but warns that the backup functionality, being optional, relies heavily on user responsibility, and emphasizes that the vulnerabilities highlight the importance of secure authentication and data handling practices in municipal software.
Security Implications
Two significant vulnerabilities have been uncovered in accounting software utilized by numerous municipalities, including 310 Wisconsin towns supplied by Workhorse Software Services. The first, CVE-2025-9037, exposes SQL server credentials stored in plaintext files, risking unauthorized access to sensitive data. The second, CVE-2025-9040, involves a database backup feature accessible from the login screen that allows unencrypted backups to be created and restored sans password, potentially enabling malicious actors or malware with physical or system access to copy or tamper with municipal data. These flaws threaten the confidentiality, integrity, and availability of critical financial and personal information, such as Social Security numbers and municipal records, and could undermine audit processes and public trust. Workhorse has issued patches (version 1.9.4.48019) to address these issues, with mitigation strategies also available; however, the vulnerabilities highlight the importance of vigilant security practices in municipal technology systems to prevent data breaches and safeguard citizen information.
Possible Next Steps
Timely remediation in the wake of exposing sensitive data due to flaws in software used by numerous cities and towns is crucial to prevent further data breaches, protect citizen privacy, and maintain public trust. Addressing vulnerabilities promptly minimizes potential damage, cyber threats, and legal liabilities.
Assessment & Identification
- Conduct comprehensive vulnerability scans
- Identify affected systems and data
Immediate Containment
- Isolate compromised servers or applications
- Disable affected access points
Patch & Update
- Deploy software patches promptly
- Upgrade outdated systems
Enhanced Security Measures
- Implement stronger authentication protocols
- Increase monitoring and intrusion detection
Communication & Transparency
- Notify impacted parties swiftly
- Provide guidance on data protection
Post-Remediation Review
- Analyze root causes of vulnerability
- Develop strategies to prevent recurrence
Stay Ahead in Cybersecurity
Explore career growth and education via Careers & Learning, or dive into Compliance essentials.
Understand foundational security frameworks via NIST CSF on Wikipedia.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
