Flaws in Software Used by Hundreds of Cities and Towns Exposed Sensitive Data

Flaws in Software Used by Hundreds of Cities and Towns Exposed Sensitive Data

Posted on By CWS

Two doubtlessly critical vulnerabilities have been discovered by a researcher in accounting software program utilized by lots of of cities and cities.

The affected software is made by Workhorse Software program Companies, which supplies software program options to 310 municipalities in Wisconsin. The seller has launched patches and mitigations after being notified.

The vulnerabilities, found by researcher James Harrold of Sparrow IT Options, had been disclosed this week by the CERT Coordination Middle (CERT/CC) at Carnegie Mellon College. 

One of many flaws, tracked as CVE-2025-9037, is an data publicity concern associated to SQL server connection credentials being saved in a plaintext file that’s sometimes in a shared community folder.

The second concern, CVE-2025-9040, is expounded to the supply of a database backup characteristic accessible from the login display that permits the creation of an unencrypted database backup file, which might later be restored on any SQL server with out a password.

This database backup might be copied by anybody with bodily entry to the machine working the Workhorse software program, or by malware current on the system.

“An attacker may receive the entire database, doubtlessly exposing delicate personally identifiable data (PII) comparable to Social Safety numbers, full municipal monetary data, and different confidential knowledge,” CERT/CC stated. “Possession of a database backup may additionally allow knowledge tampering, doubtlessly undermining audit trails and compromising the integrity of municipal monetary operations.”

Model 1.9.4.48019 patches the vulnerabilities and mitigations are additionally obtainable. Along with releasing patches and mitigations, Workhorse identified that clients have been accountable for the SQL authentication methodology utilized by the software program, and the problematic backup performance has all the time been non-obligatory. Commercial. Scroll to proceed studying.

Associated: Flaws in Gigabyte Firmware Permit Safety Bypass, Backdoor Deployment

Associated: ‘MadeYouReset’ HTTP2 Vulnerability Permits Huge DDoS Assaults

Associated: Unpatched Ruckus Vulnerabilities Permit Wi-fi Surroundings Hacking

Security Week News Tags:, , , , , , ,

Related Posts

Helmet Security Emerges From Stealth Mode With Million in Funding Helmet Security Emerges From Stealth Mode With $9 Million in Funding Security Week News
Flaw Allowing Website Takeover Found in WordPress Plugin With 400k Installations Flaw Allowing Website Takeover Found in WordPress Plugin With 400k Installations Security Week News
Beyond GenAI: Why Agentic AI Was the Real Conversation at RSA 2025 Beyond GenAI: Why Agentic AI Was the Real Conversation at RSA 2025 Security Week News
Critical Apex One Flaws Patched by TrendAI Critical Apex One Flaws Patched by TrendAI Security Week News
Novee Emerges From Stealth With .5 Million in Funding Novee Emerges From Stealth With $51.5 Million in Funding Security Week News
Going Into the Deep End: Social Engineering and the AI Flood Going Into the Deep End: Social Engineering and the AI Flood Security Week News