Vulnerabilities reported Workhorse Software Services municipal accounting software
Take action: If you are using Workhorse accounting software, plan a quick update to version 1.9.4.48019. There are multiple vectors that can breach your database, and eventually malware, phishing or a disgruntled employee will expose your system. Until you can patch, restrict network access to the application directory and enable SQL Server Windows Authentication to limit the exposure.
Learn More
The U.S. Computer Emergency Response Team Coordination Center (CERT/CC) is reporting vulnerabilities in Workhorse Software Services' municipal accounting software. Workhorse Software Services provides accounting software solutions to hundreds of municipalities, with over 300 Wisconsin municipalities currently using the platform.
Vulnerabilities summary
- CVE-2025-9037 (no CVSS score assigned) - Plaintext Database Connection String Storage: The software stores the SQL Server connection string in a plaintext configuration file located alongside the executable. In typical deployments, this directory is on a shared network folder hosted by the same server running the SQL database. When SQL authentication is used, database credentials in this file could be recovered by anyone with read access to the directory, providing direct access to the underlying database system.
- CVE-2025-9040 (no CVSS score assigned) - Unauthenticated Database Backup Functionality: The application's "File" menu, accessible even from the login screen, provides a database backup feature that executes an MS SQL Server Express backup and allows saving the resulting .bak file inside an unencrypted ZIP archive. This backup can be restored to any SQL Server instance without requiring authentication or password protection, essentially allowing complete database exfiltration without proper authorization.
An attacker with physical access to a workstation could exploit the unauthenticated backup functionality to create and download complete database copies. Malware capable of reading network files could access the plaintext configuration files to obtain database credentials. Social engineering attacks could also manipulate authorized users into unknowingly executing database backups for malicious actors.
The vulnerabilities affect all versions of the software prior to version 1.9.4.48019 and could enable unauthorized access to sensitive municipal financial records and personally identifiable information.
CERT/CC strongly recommends updating the software to version 1.9.4.48019 as soon as possible.
For organizations unable to implement immediate updates, CERT/CC recommends restricting access to the application directory via NTFS permissions to limit exposure of plaintext configuration files, enabling SQL Server encryption and Windows Authentication to reduce the impact of credential exposure and implementing network segmentation and firewall rules to limit database access from untrusted network segments.
