Security Vulnerabilities Found in Salesforce Industry Cloud
Cybersecurity researchers have revealed over 20 configuration-related vulnerabilities within Salesforce Industry Cloud, also known as Salesforce Industries. These risks potentially expose sensitive data to unauthorized access, both from internal users and outside entities.
A Closer Look at the Vulnerabilities
These misconfigurations affect various components within the platform, including FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. Aaron Costello, the chief of SaaS Security Research at AppOmni, highlights a crucial point: while low-code platforms like Salesforce simplify application development, they may introduce security risks if not handled properly.
Risks of Misconfiguration
Unaddressed vulnerabilities could allow malicious actors to access encrypted information about both employees and customers. This includes session data that tracks user interactions with Salesforce Industry Cloud, as well as sensitive credentials linked to Salesforce and other business systems. Furthermore, exposed business logic may permit attackers to manipulate the system for nefarious purposes.
Salesforce’s Response
In response to these threats, Salesforce has made strides to mitigate the risks. The company acknowledged three vulnerabilities and has provided configuration guidance for an additional two. However, the remaining 16 vulnerabilities have been left for customers to rectify independently.
The following are some vulnerabilities cataloged with CVE identifiers:
- CVE-2025-43697: If ‘Check Field Level Security’ is not enabled for ‘Extract’ and ‘Turbo Extract Data Mappers, the ‘View Encrypted Data’ permission check fails, revealing cleartext values to users.
- CVE-2025-43698: The SOQL data source navigates around Field-Level Security when retrieving data from Salesforce objects.
- CVE-2025-43699: FlexCard does not correctly enforce ‘Required Permissions’ for the OmniUlCard object.
- CVE-2025-43700: FlexCard fails to uphold the ‘View Encrypted Data’ permission, providing plaintext values for encrypted data.
- CVE-2025-43701: FlexCard enables Guest Users to access values for Custom Settings.
These vulnerabilities create significant risks, allowing attackers to bypass security measures and extract critical information.
New Security Settings
AppOmni has introduced a new security setting called "EnforceDMFLSAndDataEncryption" in response to particular vulnerabilities. This requires customers to enable the setting to ensure that only users with the "View Encrypted Data" permission can see plaintext values returned by the Data Mapper.
Regulatory Concerns
Organizations subject to compliance regulations such as HIPAA, GDPR, SOX, or PCI-DSS should address these vulnerabilities seriously. The potential gaps could expose companies to regulatory scrutiny and penalties. The responsibility of implementing secure configurations lies with the customers. A single overlooked setting might compromise thousands of records without vendor accountability.
Salesforce’s Stance
A spokesperson from Salesforce responded to these findings by stating that most issues arise due to customer configuration errors rather than inherent application vulnerabilities. The company claims all identified issues have been addressed and that patches are now available to users. They emphasize there is no evidence that the vulnerabilities have been exploited in customer environments.
Other Vulnerability Discoveries
Adding to the concerns, security researcher Tobia Righi, known as MasterSplinter, recently discovered a Salesforce Object Query Language (SOQL) injection vulnerability that could also be exploited to access sensitive user data. The zero-day vulnerability in question arises from a user-controlled parameter, "contentDocumentId," leading to unsafe embedding within an application.
The exploitation of this flaw could allow attackers to inject additional queries and obtain database contents. Utilizing a publicly available brute-force script, it’s possible to generate IDs of non-public ContentDocument objects, which could yield sensitive information regarding uploaded documents.
Salesforce has expressed gratitude for the responsible disclosure of such vulnerabilities, affirming that they will continue to engage with the security research community.
Final Observations
The ongoing scrutiny of Salesforce Industry Cloud highlights the importance of vigilant configuration and security practices in low-code platforms. As organizations become more reliant on such technologies, addressing these vulnerabilities proactively will be critical in safeguarding sensitive data.
