Security Affairs
Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

US CERT/CC warns of flaws in Workhorse Software accounting software used by hundreds of municipalities in Wisconsin

CERT/CC disclosed serious data exposure vulnerabilities in Workhorse Software used by hundreds of U.S. cities and towns. CERT Coordination Center (CERT/CC) at Carnegie Mellon University disclosed two serious data exposure flaws in an accounting application developed by Workhorse Software’s, and used by hundreds of U.S. cities and towns. CERT/CC disclosed the vulnerabilities only after the […]

Workhorse Software Services

CERT/CC disclosed serious data exposure vulnerabilities in Workhorse Software used by hundreds of U.S. cities and towns.

CERT Coordination Center (CERT/CC) at Carnegie Mellon University disclosed two serious data exposure flaws in an accounting application developed by Workhorse Software’s, and used by hundreds of U.S. cities and towns.

CERT/CC disclosed the vulnerabilities only after the vendor had addressed them.

The researcher James Harrold of Sparrow IT Solutions reported both vulnerabilities, which affect software before version 1.9.4.48019

“Workhorse Software Services, Inc municipal accounting software prior to version 1.9.4.48019 contains design flaws that could allow unauthorized access to sensitive data and facilitate data exfiltration.” reads the Vulnerability Note published by CERT/CC. “Specifically, database connection information is stored in plaintext alongside the application executable, and the software allows unauthenticated users to create unencrypted database backups from the login screen.”

Workhorse Software Services provides software solutions to hundreds of municipalities in Wisconsin.

The first vulnerability is a plaintext database connection string issue tracked as CVE-2025-9037. The SQL Server connection string is stored in a plaintext configuration file located alongside the executable. The directory is usually located on a shared network folder on the same server as the SQL database. If SQL authentication is used, an attacker with read access to the directory can recover the credentials in this file.

The second vulnerability is an unauthenticated database backup functionality tracked as CVE-2025-9040. The app’s File menu lets users back up the database to an unencrypted ZIP, creating a .bak file that can be restored on any SQL Server without a password.

“An attacker could obtain the complete database, potentially exposing sensitive personally identifiable information (PII) such as Social Security numbers, full municipal financial records, and other confidential data.” continues the Vulnerability Note. “Possession of a database backup could also enable data tampering, potentially undermining audit trails and compromising the integrity of municipal financial operations.”

CERT/CC urges updating Workhorse Software to version 1.9.4.48019 immediately. Additional safeguards include restricting directory access, enabling SQL encryption and Windows Authentication, disabling the backup feature, and using network segmentation with firewalls to limit database access.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CERT/CC)