CERT/CC Warns of Critical Flaws in Workhorse Municipal Accounting Software

The CERT Coordination Center (CERT/CC) has issued a vulnerability note warning of serious security flaws in Workhorse Software Services’ municipal accounting platform. Versions prior to 1.9.4.48019 contain multiple design weaknesses that could expose sensitive municipal financial and personal data to unauthorized access and exfiltration.

According to the advisory, “Workhorse Software Services, Inc municipal accounting software prior to version 1.9.4.48019 contains design flaws that could allow unauthorized access to sensitive data and facilitate data exfiltration.”

Two distinct vulnerabilities were identified:

1. Plaintext Database Connection String (CVE-2025-9037)
   The software stores SQL Server credentials in plaintext within a configuration file. As the advisory explains, “the software stores the SQL Server connection string in a plaintext configuration file located alongside the executable… credentials in this file could be recovered by anyone with read access to the directory.”
2. Unauthenticated Database Backup Functionality (CVE-2025-9040)
   A flaw in the application’s design allows anyone—even unauthenticated users at the login screen—to create and download unencrypted database backups. CERT/CC notes: “The application’s ‘File’ menu, accessible even from the login screen, provides a database backup feature that executes an MS SQL Server Express backup and allows saving the resulting .bak file inside an unencrypted ZIP archive.”

These issues could be exploited by attackers with physical access, malware capable of reading network files, or through social engineering.

The implications are severe for municipalities using Workhorse software. CERT/CC warns: “An attacker could obtain the complete database, potentially exposing sensitive personally identifiable information (PII) such as Social Security numbers, full municipal financial records, and other confidential data.”

Such access could not only lead to data breaches but also allow attackers to tamper with financial records, undermining the integrity of audits and public financial operations.

CERT/CC strongly urges organizations to upgrade to version 1.9.4.48019 as soon as possible.

Other mitigation strategies include:

• Restricting access to application directories with NTFS permissions.
• Enabling SQL Server encryption and Windows Authentication.
• Disabling the backup feature where feasible.
• Using network segmentation and firewall rules to limit exposure.

Related Posts:

• Telegram Banned in Amsterdam: Cybercrime Concerns Trigger Action
• Iran-Linked CyberAv3ngers Hacker Disrupt Water Operations in Western Pennsylvania
• Critical Flaws Found in Partner Software: Default Admin Passwords & XSS Allow RCE on Government Systems
• PDQ Deploy Vulnerability Exposes Admin Credentials: CERT/CC Issues Advisory
• MadeYouReset: New HTTP/2 Flaw Threatens to Cripple Servers with DDoS Attacks