Vulnerabilities in municipal software expose sensitive data in Wisconsin

Researchers revealed flaws in Workhorse Software that exposed municipal databases, raising alarms over privacy, cybersecurity and the need for stronger safeguards in local government systems.
Workhorse Software, municipal vulnerabilities, CVE-2025-9037, CVE-2025-9040, Wisconsin municipalities, accounting software flaw, CERT/CC, sensitive data exposure, cybersecurity patch, local government security

Two critical vulnerabilities have been discovered in an accounting application developed by Workhorse Software and used by more than 300 municipalities in Wisconsin.

The first flaw, CVE-2025-9037, involved SQL server connection credentials stored in plain text within a shared network folder. The second, CVE-2025-9040, allowed backups to be created and restored from the login screen without authentication.

Both issues were disclosed by the CERT Coordination Centre at Carnegie Mellon University following a report from Sparrow IT Solutions. Exploitation could give attackers access to personally identifiable information such as Social Security numbers, financial records and audit logs.

Workhorse has since released version 1.9.4.48019 with security patches, urging municipalities to update their systems immediately. The incident underscores the risks posed by vulnerable software in critical public infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!