Two severe security flaws in Workhorse Software Services’ municipal accounting platform could enable unauthorized actors to exfiltrate complete databases containing sensitive financial records and personally identifiable information.
The vulnerabilities, tracked as CVE-2025-9037 and CVE-2025-9040, affect all software versions before 1.9.4.48019 and stem from fundamental design weaknesses in authentication mechanisms and data protection protocols.
Vulnerability Analysis
The first vulnerability, CVE-2025-9037, involves the insecure storage of database connection strings in plaintext configuration files located within the application’s executable directory.
This architectural flaw becomes particularly problematic in typical deployment scenarios where the application directory resides on shared network folders hosted by the same server running the SQL database infrastructure.
When SQL authentication is implemented, these configuration files expose database credentials to any entity with read access to the network share, creating a significant attack vector for both internal and external threats.
The second critical flaw, CVE-2025-9040, enables unauthenticated database backup operations through the application’s file menu system.
This functionality remains accessible even from the login screen, allowing unauthorized users to execute MS SQL Server Express backup procedures and export complete database archives as unencrypted ZIP files.
These backup files can subsequently be restored to any SQL Server instance without password authentication, effectively bypassing all access controls.
Attack Scenarios and Impact Assessment
Threat actors could exploit these vulnerabilities through multiple vectors, including physical workstation access, malware deployment for network file enumeration, or social engineering campaigns targeting administrative personnel.
Successful exploitation would grant complete database access, potentially exposing Social Security numbers, comprehensive municipal financial records, and other classified governmental data.
The security implications extend beyond data exposure to include potential data integrity compromises.
Attackers possessing database backups could manipulate financial records, alter audit trails, and undermine the overall integrity of municipal accounting operations.
Such tampering could have lasting impacts on fiscal transparency and regulatory compliance requirements.
Mitigation Strategy
CERT/CC recommends immediate deployment of software version 1.9.4.48019 to address these critical vulnerabilities.
Additional hardening measures include implementing NTFS permission restrictions on application directories, enabling SQL Server encryption with Windows Authentication, and deploying network segmentation controls to limit database access.
| Vulnerability | CVE ID | CVSS Score | Attack Vector | Authentication Required |
|---|---|---|---|---|
| Plaintext Connection String | CVE-2025-9037 | Not Available | Network/Local | No |
| Unauthenticated Backup | CVE-2025-9040 | Not Available | Local/Remote | No |
This vulnerability disclosure originated from a security audit conducted by James Harrold of Sparrow IT Solutions during a new server installation process.
Organizations utilizing Workhorse software should prioritize immediate patching to prevent potential data breaches affecting municipal operations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The vulnerabilities, tracked as CVE-2025-9037 and CVE-2025-9040, affect all software versions before 1.9.4.48019){kind=link}