Researcher Discovers Five Zero-Day Vulnerabilities and Twenty Configuration Errors in Salesforce

A cybersecurity researcher has uncovered five zero-day vulnerabilities and more than 20 configuration risks in Salesforce’s cloud products.

On June 10, Aaron Costello, Chief of SaaS Security Research at AppOmni, released a report detailing his investigation into Salesforce’s industry cloud offerings. These solutions are designed to assist organizations in creating industry-specific applications and workflows using low-code methodologies.

The identified misconfigurations could allow unauthorized access to sensitive encrypted data, including employee and customer information, session logs that detail user interactions with Salesforce’s industry cloud, and credentials for Salesforce and other corporate systems. The affected products include FlexCards, Integration Procedures (IProcs), Data Mappers, OmniScript Saved Sessions, Data Packs, and OmniOut. It is important to note that the Vlocity suite, another Salesforce product, is not affected. However, many identical risks persist in Vlocity due to overlapping features.

Five Vulnerabilities Found, Including Two Zero-Days

AppOmni disclosed its findings to Salesforce, which confirmed five issues as vulnerabilities and assigned them Common Vulnerabilities and Exposures (CVE) identifiers. Four vulnerabilities impacted FlexCards, while one affected Data Mappers.

Three issues related to FlexCards have been fully resolved, with no additional action required from clients:
– CVE-2025-4399: FlexCards failed to enforce the ‘Required Permissions’ field for the OmniUlCard object (CVSSv3 score: 5.3).
– CVE-2025-43700: FlexCards did not enforce the ‘View Encrypted Data’ permission, allowing plaintext values to be returned for data employing Classic Encryption (CVSSv3 score: 7.5).
– CVE-2025-43701: FlexCards permitted Guest Users to access values for Custom Settings (CVSSv3 score: 7.5).

Salesforce notified its customers of the vulnerabilities on May 19, 2025, after remediating these issues. A Salesforce spokesperson stated that all identified problems have been resolved, with patches provided to customers and documentation updated to reflect full configuration capabilities. Salesforce claimed no evidence of exploitation in customer environments had been observed due to these vulnerabilities.

The remaining two vulnerabilities remain unpatched but have been mitigated through the introduction of a customer-configurable security setting, transferring the responsibility to users to implement their own protections:
– CVE-2025-43697: An improper preservation of permissions vulnerability in Data Mappers that could expose encrypted data.
– CVE-2025-43698: An improper preservation of permissions vulnerability in FlexCards that allows the bypassing of field-level security controls for Salesforce objects.

AppOmni collaborated with Salesforce to provide mitigation recommendations for the aforementioned vulnerabilities. For CVE-2025-43697, the recommendation is to enforce Field Level Security (FLS) across all Data Mappers within the organization. For CVE-2025-43698, organizations are advised to enable an Omni Interaction Configuration setting to ensure that only users with the ‘View Encrypted Data’ permission can see the plaintext values of fields returned by the Data Mapper.

Regulatory Exposure Warning

AppOmni emphasized that because it is the customer’s responsibility to correctly configure these settings, a single oversight could result in the exposure of thousands of records, without vendor accountability. Organizations that are subject to compliance mandates, including the US Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), as well as the GDPR in Europe and the UK and the Payment Card Industry Data Security Standard (PCI-DSS), may face significant regulatory risks due to these gaps.

These discoveries follow recent warnings from Google Cloud-owned Mandiant regarding English-speaking hackers, identified as UNC6040, who are reportedly tricking companies into granting them extensive access to Data Loader, a Salesforce tool used for importing, exporting, and updating significant amounts of data within the platform.