Identification of Over 20 Configuration Vulnerabilities, Including Five CVEs, in Salesforce Industry Cloud

Cybersecurity researchers have identified more than 20 configuration-related vulnerabilities within Salesforce Industry Cloud, potentially jeopardizing sensitive data accessibility for unauthorized internal and external entities.

These vulnerabilities impact several components, including FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. The inherent risks associated with low-code platforms such as Salesforce Industry Cloud are evident; while they facilitate application development, they can also pose significant security risks if not properly managed. Aaron Costello, Chief of SaaS Security Research at AppOmni, highlighted the importance of prioritizing security among the conveniences offered by these platforms.

If unaddressed, these misconfigurations can enable cybercriminals to gain unauthorized access to encrypted confidential data pertaining to employees and customers, session data related to user interactions with Salesforce Industry Cloud, as well as critical business logic.

Salesforce has acted post-disclosure by addressing three of the identified vulnerabilities and provided configuration guidance on an additional two, leaving 16 other misconfigurations to be rectified independently by customers.

The vulnerabilities assigned CVE identifiers include:

– CVE-2025-43697: If ‘Check Field Level Security’ is not enabled for ‘Extract’ and ‘Turbo Extract Data Mappers,’ it results in the exposure of cleartext values for encrypted fields to users with record access.

– CVE-2025-43698: The SOQL data source bypasses any Field-Level Security when retrieving data from Salesforce objects.

– CVE-2025-43699: Flexcard does not enforce the ‘Required Permissions’ field for the OmniUlCard object.

– CVE-2025-43700: Flexcard fails to enforce the ‘View Encrypted Data’ permission, allowing plaintext values to be returned for data utilizing Classic Encryption.

– CVE-2025-43701: FlexCard permits Guest Users to access values for Custom Settings.

These issues pose a serious threat, as attackers could exploit these vulnerabilities to bypass security controls and exfiltrate sensitive data regarding customers or employees.

AppOmni noted that vulnerabilities CVE-2025-43967 and CVE-2025-43698 have been mitigated through a new security setting, “EnforceDMFLSAndDataEncryption,” which must be enabled by customers to restrict plaintext visibility of Data Mapper fields to users with the “View Encrypted Data” permission.

For organizations mandated by compliance regulations, including HIPAA, GDPR, SOX, and PCI-DSS, these vulnerabilities represent a tangible risk for regulatory exposure. The responsibility for secure configurations falls entirely on the customer, emphasizing that a single oversight can culminate in the breach of numerous records, without any vendor accountability.

A Salesforce representative stated that a majority of the identified issues stemmed from customer configuration errors and do not reflect inherent vulnerabilities within the application. The spokesperson assured that all issues have been addressed and that patches have been made available. Additionally, they noted no evidence of exploitation within customer environments related to these vulnerabilities.

The disclosure coincides with the recent revelation of a SOQL injection vulnerability by security researcher Tobia Righi, which could be exploited to obtain sensitive user information. This zero-day vulnerability is rooted in a default aura controller prevalent in all Salesforce deployments, resulting from an insecurely embedded “contentDocumentId” parameter that facilitates SOQL injection.

Successful exploitation of this flaw could enable attackers to inject queries via the parameter and extract database contents. By leveraging a publicly available brute-force script, attackers can generate IDs correlated to non-public ContentDocument objects, making them susceptible to information gathering.

Salesforce’s spokesperson emphasized the company’s proactive measures in addressing these vulnerabilities and their commitment to encouraging responsible disclosures from the security research community.