The vulnerabilities, tracked as CVE-2025-9037 and CVE-2025-9040, affect all software versions before 1.9.4.48019 and stem from fundamental design weaknesses in authentication mechanisms and data protection protocols.
The first vulnerability, CVE-2025-9037, involves the insecure storage of database connection strings in plaintext configuration files located within the application’s executable directory.
This architectural flaw becomes particularly problematic in typical deployment scenarios where the application directory resides on shared network folders hosted by the same server running the SQL database infrastructure.
When SQL authentication is implemented, these configuration files expose database credentials to any entity with read access to the network share, creating a significant attack vector for both internal and external threats.
The second critical flaw, CVE-2025-9040, enables unauthenticated database backup operations through the application’s file menu system.
This functionality remains accessible even from the login screen, allowing unauthorized users to execute MS SQL Server Express backup procedures and export complete database archives as unencrypted ZIP files.
These backup files can subsequently be restored to any SQL Server instance without password authentication, effectively bypassing all access controls.
Threat actors could exploit these vulnerabilities through multiple vectors, including physical workstation access, malware deployment for network file enumeration, or social engineering campaigns targeting administrative personnel.
Successful exploitation would grant complete database access, potentially exposing Social Security numbers, comprehensive municipal financial records, and other classified governmental data.
The security implications extend beyond data exposure to include potential data integrity compromises.
Attackers possessing database backups could manipulate financial records, alter audit trails, and undermine the overall integrity of municipal accounting operations.
Such tampering could have lasting impacts on fiscal transparency and regulatory compliance requirements.
CERT/CC recommends immediate deployment of software version 1.9.4.48019 to address these critical vulnerabilities.
Additional hardening measures include implementing NTFS permission restrictions on application directories, enabling SQL Server encryption with Windows Authentication, and deploying network segmentation controls to limit database access.
| Vulnerability | CVE ID | CVSS Score | Attack Vector | Authentication Required |
|---|---|---|---|---|
| Plaintext Connection String | CVE-2025-9037 | Not Available | Network/Local | No |
| Unauthenticated Backup | CVE-2025-9040 | Not Available | Local/Remote | No |
This vulnerability disclosure originated from a security audit conducted by James Harrold of Sparrow IT Solutions during a new server installation process.
Organizations utilizing Workhorse software should prioritize immediate patching to prevent potential data breaches affecting municipal operations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post CERT/CC Issues Warning Over Critical Flaws in Workhorse Municipal Accounting Software appeared first on Cyber Security News.
Resident Evil Requiem players were sad to see the Merchant left out of Leon's latest…
It looks like Marathon won’t be left behind anytime soon, as Bungie has confirmed it…
A new weekend has arrived, and today, you can save big on Yakuza Kiwami 3…
A new weekend has arrived, and today, you can save big on Yakuza Kiwami 3…
Microsoft Defender triggered widespread false positive alerts after a faulty security update caused it to…
Developer Arc System Works has confirmed that Hulk and Black Panther have joined the roster…
This website uses cookies.