Overview

• Two design issues tracked as CVE-2025-9037 and CVE-2025-9040 enable credential exposure and unauthenticated, unencrypted database backups.
• Before version 1.9.4.48019, SQL credentials were stored in a plaintext configuration file beside the executable, often on shared network folders.
• A backup feature on the login screen could generate a .bak inside an unencrypted ZIP that can be restored on any SQL Server without a password.
• CERT/CC warns that attackers with physical access, malware, or social engineering could obtain complete databases containing PII and municipal financial records.
• Workhorse issued fixes and said customers choose SQL authentication and the backup feature is optional, while recommended mitigations include NTFS restrictions, Windows Authentication, database encryption, disabling backups, and network segmentation.