Cybersecurity researchers have discovered over 20 configuration-related risks affecting Salesforce Industry Cloud (aka Salesforce Industries), exposing sensitive data to fraudulent internal and external stakeholders.
The weaknesses affect a variety of components such as flexcards, data mappers, integration procedures (IPROCS), data packs, Omniout, and Omniscript retention sessions.
“Low code platforms such as Salesforce Industry Cloud make building applications easier, but the convenience costs when security is not prioritized,” said Appomni’s chief of SaaS Security Research in a statement shared with Hacker News.
These misconceptions allow unadapted access to sensitive data about employees and customers to cybercriminals and unauthorized encrypted sensitive data, allowing session data detailing how users interact with clouds in the Salesforce industry, Salesforce and other corporate systems, and how business logic.
Following responsible disclosure, Salesforce addressed three shortcomings and issued two more configuration guidance. The remaining 16 misconceptions are left to the client to fix them themselves.
Vulnerabilities assigned to CVE Identifiers are listed below –
CVE-2025-43697 (CVSS score: N/A) – If “Field Level Security” is not enabled for “Extract” and “Turbo Extract Data Mapper, the “View Encrypted Data” permission check is not enforced. The SOQL data source bypasses field-level security when retrieving data from the Salesforce object CVE-2025-43699 (CVSS score: 5.3). FlexCard does not force fields of Omniulcard object CVE-2025-43700 (CVSS score: 7.5) that do not use Omniulcard object CVE-2025-43700 (CVSS score: 7.5). Returns plain text value for data using classic encryption CVE-2025-43701 (CVSS score: 7.5) – FlexCard allows guest users to access the values of custom settings
Simply put, attackers can weaponize these issues, bypassing security controls and extracting sensitive customer or employee information.
According to Appomni, CVE-2025-43967 and CVE-2025-43698 are being addressed through a new security setting called “endforcedMflsandDataEncryption,” in which only users who say “only customers are “enforced” must be enabled to secure only customers to ensure that only customers have “views” values of plains in the fields returned to the Data Mapper.
“For organizations that are subject to compliance delegation such as HIPAA, GDPR, SOX, PCI-DSS, and other organizations, these gaps can represent actual regulations exposure,” the company said. “And since it’s the customer’s responsibility to safely configure these settings, one missed setting can be non-existent in the vendor’s accountability and could lead to thousands of records violations.”
When it reached the comment, a Salesforce spokesperson told Hacker News that the majority of the issues were “derived from customer configuration issues” and that they were not vulnerabilities inherent in the application.
“All issues identified in this study have been resolved, patches are now available to customers, and official documentation has been updated to reflect the full configuration capabilities,” the company said. “As a result of these issues, no evidence of exploitation in the customer environment has been observed.”
This disclosure is that security researcher Tobia Righi, who uses the handle Mastersplinter, has disclosed a Salesforce Object Language (SOQL) injection vulnerability that could be exploited to access sensitive user data.
Zero-day vulnerabilities (no CVE) exist in the default aura controller that exists in all Salesforce deployments. This is the result of the user-controlled “contentdocumentid” parameter.
The successful exploitation of the flaws could allow the attacker to insert additional queries via parameters, allowing the database to be extracted. Exploits can be further enhanced by passing a list of IDSs correlated to unpublished ContentDocument objects to gather information about uploaded documents.
According to Righi, the ID can be generated by an exposable brute force script that can generate possible previous or next Salesforce IDs based on a valid input ID. This is possible in turn by the fact that Salesforce ID does not actually provide security perimeters and is actually somewhat predictable.
“As mentioned in the study, after receiving the report, our security team quickly investigated and resolved the issue. We have not observed any evidence of exploitation in the customer environment,” a Salesforce spokesperson said. “We are grateful for Tobia’s efforts to responsibly disclose this issue to Salesforce, and continue to encourage the security research community to report potential issues through established channels.”
Source link
