Salesforce Marketing Cloud Vulnerabilities Expose Critical Cross-Tenant Subscriber Data Risks
A recent disclosure has unveiled significant vulnerabilities within Salesforce Marketing Cloud (SFMC), spotlighting the security risks associated with centralized marketing infrastructures. This revelation raises alarms about the potential for unauthorized access to sensitive subscriber data across multiple tenant environments.
The vulnerabilities identified primarily affect components associated with AMPScript, CloudPages, and email-rendering workflows. Attackers could exploit these flaws to gain access to subscriber information, enumerate marketing emails, and potentially compromise organizations operating within the SFMC ecosystem.
AMPScript and SFMC Template Injection Risks
Salesforce Marketing Cloud is a critical tool for modern enterprises, facilitating large-scale marketing campaigns, personalized customer journeys, and trackable email communications. Formerly known as ExactTarget, SFMC leverages technologies such as AMPScript, Server-Side JavaScript (SSJS), and internal data views linked to extensive subscriber databases.
While these features offer flexibility for marketers, they also amplify the impact of any underlying vulnerabilities. Researchers have raised concerns about SFMC’s server-side templating framework, which allows organizations to dynamically insert subscriber attributes—such as names, email addresses, and engagement metrics—directly into marketing content. However, functions like TreatAsContent pose a significant risk by evaluating user-controlled input as executable template code.
If attacker-controlled data is passed into these functions, it could trigger template injection within SFMC environments. This issue is exacerbated by SFMC’s historical support for AMPScript execution within email subject lines, leading to a legacy behavior where subject templates are evaluated twice by default. This design flaw opens the door for payload execution during the second rendering stage.
Researchers demonstrated this risk using a payload inserted into a name field:
%%=RowCount(LookupRows(“_Subscribers”,”SubscriberKey”,_subscriberkey))=%%
If processed during the second evaluation phase, this payload could execute successfully, creating a reliable injection point within the marketing workflow. Once template execution is achieved, attackers could utilize built-in SFMC functions such as LookupRows to query internal Data Views, including:
- _Subscribers
- _Sent
- _Job
- _SMSMessageTracking
- _Click
Access to these views could expose subscriber lists, email delivery records, engagement metrics, and message history associated with affected Salesforce Marketing Cloud tenants.
CloudPages and “View Email in Browser” Vulnerability
An even more serious vulnerability has been identified concerning SFMC’s “view email in browser” functionality and CloudPages infrastructure. Many Salesforce customers configure branded domains, such as view.example.com or pages.example.com, which route back to shared SFMC infrastructure. These links typically rely on an encrypted qs parameter that contains tenant and message-specific information.
Researchers from Searchlight Cyber noted that the older “classic” qs implementation employed unauthenticated CBC encryption. This implementation behaved as a padding oracle, allowing the decryption and re-encryption of query string parameters under specific conditions. Initially, researchers exploited this weakness using the Padre tool before enhancing the process through the AMPScript MicrositeURL function.
This exploitation enabled the forging of valid QS values, granting access to workflows such as “Forward to a Friend,” which could resolve subscriber identifiers into actual email addresses. A critical concern is SFMC’s use of a single static encryption key shared across tenants. Once the cryptographic structure is understood, attackers could theoretically enumerate subscribers and access email content across multiple organizations.
Legacy Encryption Weaknesses Expanded the Attack Surface
The researchers also uncovered an older URL format that relied on per-parameter “encryption.” However, this mechanism was based on a repeating static XOR key combined with a checksum. Although considered legacy functionality, this scheme still operates on modern SFMC tenants.
Due to the lack of robust cryptographic protections, attackers could decrypt and enumerate parameters such as JobID and ListSubscriber at high speed, bypassing the slower padding-oracle technique. These findings underscore how legacy systems within large cloud platforms can continue to pose security risks long after newer protections have been implemented.
Impact of the Salesforce Marketing Cloud Vulnerability
The combined vulnerabilities could enable attackers to:
- Enumerate and exfiltrate subscriber records
- Access sent marketing emails and engagement data
- Forge cross-tenant QS tokens
- Access emails belonging to other organizations
- Exploit hard-coded cryptographic material
- Abuse argument-injection flaws tied to the MicrositeURL function
- Manipulate CloudPages and other SFMC web workflows
In response to these vulnerabilities, Salesforce assigned multiple CVEs addressing various root causes, including insecure cryptographic implementations, hard-coded keys, and argument injection vulnerabilities affecting the MicrositeURL and CloudPages components.
Salesforce reported these vulnerabilities on January 16, 2026, and deployed mitigations between January 21 and January 24, 2026. The company stated that no confirmed malicious exploitation had been identified at the time of disclosure. As part of the remediation process, Salesforce migrated Marketing Cloud Engagement encryption to AES-GCM, rotated encryption keys, and disabled the double evaluation behavior associated with AMPScript subject-line rendering.
Additionally, Salesforce invalidated all legacy tracking and CloudPages links created before January 21, 2026, at 23:00 UTC, with those links expiring globally on January 23, 2026, at 21:00 UTC.
For further insights on this critical issue, visit the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
