search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Workhorse Software Services, Inc. software prior to version 1.9.4.48019, default deployment is vulnerable to multiple issues.

Vulnerability Note VU#706118

Original Release Date: 2025-08-19 | Last Revised: 2025-08-19

Overview

Workhorse Software Services, Inc municipal accounting software prior to version 1.9.4.48019 contains design flaws that could allow unauthorized access to sensitive data and facilitate data exfiltration. Specifically, database connection information is stored in plaintext alongside the application executable, and the software allows unauthenticated users to create unencrypted database backups from the login screen.

Description

Two primary issues exist in Workhorse's design:

Plaintext Database Connection String

CVE-2025-9037 The software stores the SQL Server connection string in a plaintext configuration file located alongside the executable. In typical deployments, this directory is on a shared network folder hosted by the same server running the SQL database. If SQL authentication is used, credentials in this file could be recovered by anyone with read access to the directory.

Unauthenticated Database Backup Functionality

CVE-2025-9040 The application’s “File” menu, accessible even from the login screen, provides a database backup feature that executes an MS SQL Server Express backup and allows saving the resulting .bak file inside an unencrypted ZIP archive. This backup can be restored to any SQL Server instance without requiring a password.

An attacker with physical access to a workstation, malware capable of reading network files, or via social engineering could exfiltrate full database backups without authentication.

Impact

An attacker could obtain the complete database, potentially exposing sensitive personally identifiable information (PII) such as Social Security numbers, full municipal financial records, and other confidential data. Possession of a database backup could also enable data tampering, potentially undermining audit trails and compromising the integrity of municipal financial operations.

Solution

The CERT/CC recommends updating the software to version 1.9.4.48019 as soon as possible. Other potential mitigations include: * Restricting access to the application directory via NTFS permissions * Enabling SQL Server encryption and Windows Authentication * Disabling the backup feature at the vendor or configuration level * Using network segmentation and firewall rules to limit database access

Acknowledgements

This issue was reported during a security audit and new server installation by James Harrold, Sparrow IT Solutions. This document was written by Timur Snoke.

Vendor Information

706118
 
Expand all

Workhorse Software Services, Inc Unknown

Notified:  2025-06-11 Updated: 2025-08-19

Statement Date:   July 30, 2025

CVE-2025-9037 Unknown
Vendor Statement:
This applied to prior versions of Workhorse Software, where the database connection string was stored in workhorse.exe.config. As of July 9, 2025, all connection strings are encrypted and stored securely. Workhorse is an on‑premises desktop application deployed entirely within the customer’s own IT network, and the SQL authentication method is determined by the customer’s IT department. The default configuration uses Windows Authentication with least‑privilege SQL accounts.
CVE-2025-9040 Unknown
Vendor Statement:
The in‑application backup feature has always been optional and can be disabled by the municipality’s IT department. As of the latest release, the ability for end‑users to directly save backup ZIP files has been removed; customers must now request backup files through our support team. Backups remain stored in SQL Server by the customer’s IT staff, who maintain full control of encryption and access.

Other Information

CVE IDs: CVE-2025-9037 CVE-2025-9040
API URL: VINCE JSON | CSAF
Date Public: 2025-08-19
Date First Published: 2025-08-19
Date Last Updated: 2025-08-19 16:44 UTC
Document Revision: 1

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis