CVE-2025-9040

Researchers have identified two critical vulnerabilities in an accounting software application from Workhorse Software Services, a platform utilized by 310 municipalities in Wisconsin. The first vulnerability, labeled CVE-2025-9037, relates to the insecure storage of SQL server connection credentials. These credentials are kept in a plaintext file located within a shared network folder, making them accessible to anyone who can reach that folder. The ramifications of this flaw include a substantial risk that attackers could gain unauthorized access to databases containing sensitive information.

The second vulnerability, tracked as CVE-2025-9040, allows for the creation of unencrypted database backup files directly accessible from the login screen. This means anyone with physical access to the device running Workhorse software—or malware infiltrating the system—could potentially copy the entire database. The exposure of sensitive information, including Social Security numbers and municipal financial records, could severely undermine public trust and the integrity of municipal operations. Although Workhorse Software has released patches to address these issues, the responsibility for secure SQL authentication remains with the municipalities themselves.

What measures should municipalities take to enhance their cybersecurity practices?

Learn More: Security Week

👉 Subscribe to /r/PwnHub