{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/706118#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nWorkhorse Software Services, Inc municipal accounting software prior to version 1.9.4.48019 contains design flaws that could allow unauthorized access to sensitive data and facilitate data exfiltration. Specifically, database connection information is stored in plaintext alongside the application executable, and the software allows unauthenticated users to create unencrypted database backups from the login screen.\r\n### Description\r\nTwo primary issues exist in Workhorse's design:\r\n\r\n####Plaintext Database Connection String\r\n**CVE-2025-9037** The software stores the SQL Server connection string in a plaintext configuration file located alongside the executable. In typical deployments, this directory is on a shared network folder hosted by the same server running the SQL database. If SQL authentication is used, credentials in this file could be recovered by anyone with read access to the directory.\r\n\r\n####Unauthenticated Database Backup Functionality\r\n**CVE-2025-9040** The application’s “File” menu, accessible even from the login screen, provides a database backup feature that executes an MS SQL Server Express backup and allows saving the resulting .bak file inside an unencrypted ZIP archive. This backup can be restored to any SQL Server instance without requiring a password.\r\n\r\nAn attacker with physical access to a workstation, malware capable of reading network files, or via social engineering could exfiltrate full database backups without authentication.\r\n\r\n### Impact\r\nAn attacker could obtain the complete database, potentially exposing sensitive personally identifiable information (PII) such as Social Security numbers, full municipal financial records, and other confidential data. Possession of a database backup could also enable data tampering, potentially undermining audit trails and compromising the integrity of municipal financial operations.\r\n\r\n### Solution\r\nThe CERT/CC recommends updating the software to version 1.9.4.48019 as soon as possible.\r\nOther potential mitigations include:\r\n* Restricting access to the application directory via NTFS permissions\r\n* Enabling SQL Server encryption and Windows Authentication\r\n* Disabling the backup feature at the vendor or configuration level\r\n* Using network segmentation and firewall rules to limit database access\r\n\r\n### Acknowledgements\r\nThis issue was reported during a security audit and new server installation by James Harrold, Sparrow IT Solutions. This document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/706118"}],"title":"Workhorse Software Services, Inc. software prior to version 1.9.4.48019, default deployment is vulnerable to multiple issues.","tracking":{"current_release_date":"2025-08-19T16:44:10+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#706118","initial_release_date":"2025-08-19 16:44:10.001919+00:00","revision_history":[{"date":"2025-08-19T16:44:10+00:00","number":"1.20250819164410.1","summary":"Released on 2025-08-19T16:44:10+00:00"}],"status":"final","version":"1.20250819164410.1"}},"vulnerabilities":[{"title":"The database connection string for the application is stored as plaintext in the program folder.","notes":[{"category":"summary","text":"The database connection string for the application is stored as plaintext in the program folder."}],"cve":"CVE-2025-9037","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#706118"}]},{"title":"User initiated backups of the SQL database are unencrypted and require no credentials to restore to another system exposing the contents of the database without authentication.","notes":[{"category":"summary","text":"User initiated backups of the SQL database are unencrypted and require no credentials to restore to another system exposing the contents of the database without authentication."}],"cve":"CVE-2025-9040","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#706118"}]}],"product_tree":{"branches":[{"category":"vendor","name":"Workhorse Software Services, Inc","product":{"name":"Workhorse Software Services, Inc Products","product_id":"CSAFPID-e5e6a650-356e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Workhorse Software Services, Inc","product":{"name":"Workhorse Software Services, Inc Products","product_id":"CSAFPID-e5e72774-356e-11f1-8422-122e2785dc9f"}}]}}