Introduction
Today, we’re thrilled to sit down with Rupert Marais, our in-house security specialist with deep expertise in endpoint and device security, cybersecurity strategies, and network management. With a keen eye for spotting critical flaws, Rupert recently uncovered significant vulnerabilities in a widely used accounting software by Workhorse Software Services, impacting hundreds of municipalities. In this interview, we dive into the nature of these security gaps, their potential impact on local governments and residents, the response from the software vendor, and broader implications for cybersecurity practices in public sector tech. Join us as Rupert breaks down complex issues into clear insights and shares his perspective on keeping sensitive data safe.
How did you first come across the vulnerabilities in the Workhorse Software Services application, and what initially drew your attention to it?
I stumbled upon these issues while conducting a routine security assessment for a client who was using the software for municipal accounting. What caught my eye was the sheer number of cities and towns relying on this application—over 300 in just one state. That scale made me curious about its security posture, especially since public sector software often handles highly sensitive data. As I dug deeper, I noticed some odd configurations in how the system managed credentials and backups, which raised immediate red flags. It felt like a ticking time bomb waiting for the wrong person to exploit it.
Can you break down the first vulnerability, CVE-2025-9037, in simple terms and explain why it’s such a serious problem?
Absolutely. This vulnerability is all about how the software stores SQL server connection credentials—basically, the keys to the database—in a plaintext file. That means there’s no encryption or protection; it’s just sitting there in readable text. What makes it worse is that this file is often kept in a shared network folder, which is like leaving your house key under the doormat in a busy neighborhood. If someone with access to that network—whether it’s an insider or a hacker who’s breached the system—finds this file, they can log straight into the database and access everything. It’s a fundamental security flaw that opens the door to massive data theft.
Moving to the second issue, CVE-2025-9040, can you describe how the database backup feature could be misused by an attacker?
This one is just as troubling. The software has a backup feature right on the login screen that lets anyone create a full copy of the database without any encryption. No password, no security—just a file you can grab and restore on any SQL server. If someone has physical access to the device running the software, or if there’s malware on the system, they can snatch this backup file in a heartbeat. Once they have it, they’ve got the entire database at their fingertips, which could include sensitive stuff like Social Security numbers or financial records. It’s a goldmine for identity thieves or anyone looking to cause havoc.
What kind of impact could these vulnerabilities have on the municipalities using this software and the residents they serve?
The impact could be devastating. For the municipalities, a breach could mean exposure of critical financial data—think full budgets, payrolls, and vendor contracts. For residents, it’s even more personal. We’re talking about Social Security numbers, tax records, and other private information getting into the wrong hands, which could lead to identity theft or fraud on a massive scale. Beyond that, there’s the risk of data tampering. An attacker could alter records, mess with audit trails, and undermine trust in the entire system. It’s not just a data leak; it could erode confidence in local government operations for years.
How did Workhorse Software Services handle the situation after you brought these issues to their attention?
I’ll give them credit for acting relatively quickly once I reported the problems. They acknowledged the vulnerabilities and worked on a fix, releasing patches and mitigations in version 1.9.4.48019. The update addresses the plaintext credential storage by securing how those files are handled and adds protections around the backup feature to prevent unauthorized access. They also provided guidance to customers on securing their setups. While the response wasn’t perfect—it took some back-and-forth to get full clarity on the scope of the issues—I’m glad they didn’t sweep it under the rug and took steps to mitigate the risks.
Workhorse mentioned that customers are responsible for choosing the SQL authentication method. How do you see this affecting the municipalities using their software?
Honestly, I think it places a heavy burden on the customers, many of whom may not have the technical expertise or resources to make informed decisions about authentication methods. Municipalities often run on tight budgets and small IT teams—if they have one at all. Expecting them to configure complex security settings correctly is a tall order. While I understand vendors can’t control every aspect of a customer’s environment, leaving something as critical as authentication up to the end user without robust default protections or clear guidance can lead to widespread misconfigurations and, ultimately, breaches.
Workhorse also noted that the backup functionality is optional. Do you think this lessens the severity of the vulnerability?
Not really. Sure, it’s optional, but how many users actually know the risks of turning it on? In my experience, people often enable features like backups because they sound useful, without realizing the security implications. If the feature is available and not locked down by default, a significant number of users are likely still at risk. I’d wager that many municipalities have this enabled simply because they weren’t aware of the danger. Optional or not, if it’s in the software, it needs to be secure out of the box—or at least come with big, bold warnings.
Looking ahead, what is your forecast for cybersecurity challenges in public sector software like this?
I think we’re going to see growing pains as more public sector entities digitize their operations. The rush to modernize often outpaces the focus on security, and that’s a recipe for trouble. Budget constraints, legacy systems, and a shortage of skilled cybersecurity staff will continue to be major hurdles. At the same time, attackers are getting smarter, targeting smaller municipalities because they know they’re often underprotected. My forecast is that we’ll see more incidents like this unless vendors step up with built-in security and governments invest in training and resources. It’s a shared responsibility, and I hope this case sparks a broader conversation about how we protect the backbone of local communities.
