Urgent: CERT/CC Warns of Severe Data Exposure Vulnerabilities in Workhorse Software's Accounting App
CERT/CC has warned of two serious data exposure vulnerabilities in Workhorse Software's accounting application, used by hundreds of U.S. cities and towns. The flaws, discovered by security researcher Alice Johnson, could expose sensitive personally identifiable information (PII) and compromise municipal financial operations.
The first vulnerability, CVE-2025-9037, involves a plaintext database connection string stored alongside the application executable. This allows unauthorized access to sensitive data. The second vulnerability, CVE-2025-9040, enables unauthenticated users to create unencrypted database backups from the login screen, facilitating data exfiltration.
The affected software versions are before 1.9.4.48019. James Harrold of Sparrow IT Solutions reported these issues to CERT/CC. Exploitation of these vulnerabilities could have severe consequences, including the exposure of PII and disruption of financial operations.
CERT/CC urges immediate action. All users of Workhorse Software's accounting application should update to version 1.9.4.48019 and implement additional safeguards to protect against these vulnerabilities. Failure to do so may result in unauthorized data access and exfiltration.
Read also:
- Web3 gaming platform, Pixelverse, debuts on Base and Farcaster networks
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
- Infiltration of Estonian airspace by Russian military aircraft
- Cyber aggression intensifies by China-backed TA415 group, targeting Taiwan's semiconductor production and supply networks
