A cybersecurity researcher has uncovered five zero-day vulnerabilities and over 20 configuration risks in Salesforce’s cloud components.
On June 10, Aaron Costello, Chief of SaaS Security Research at AppOmni, released a new report sharing the findings of an investigation into Salesforce's industry cloud offerings – a suite of solutions designed to enable organizations to build industry-specific applications and workflows in a simplified, low-code manner.
These misconfigurations Costello identified could enable unauthorized individuals to access encrypted sensitive data, including employee and customer information, session logs detailing user interactions with Salesforce industry cloud, credentials for Salesforce and other corporate systems, as well as proprietary business logic.
The affected products, part of the Salesforce OmniStudio suite, include FlexCards, Integration Procedures (IProcs), Data Mappers, OmniScript Saved Sessions, Data Packs and OmniOut.
The Vlocity suite, another Salesforce industry-centric offering, is not affected. However, Costello noted, “many of the same risks exist in Vlocity due to the overlap in their feature sets.”
Five Vulnerabilities Found, Including Two Zero-Days
AppOmni disclosed Costello’s findings to Salesforce, which identified five issues as vulnerabilities and assigned them Common Vulnerabilities and Exposures (CVE) identifiers. Four of them affected FlexCards and one, Data Mappers.
Three of these issues, all affecting FlexCards, have been fully resolved and no longer require any action from customers:
- CVE-2025-4399: FlexCards does not enforce the 'Required Permissions' field for the OmniUlCard object (CVSSv3 score: 5.3)
- CVE-2025-43700: FlexCards does not enforce the 'View Encrypted Data' permission, returning plaintext values for data that uses Classic Encryption (CVSSv3 score: 7.5)
- CVE-2025-43701: FlexCards allows Guest Users to access values for Custom Settings (CVSSv3 score: 7.5)
Once remediated, Salesforce sent an email communication to its customers on May 19, 2025, informing them of the vulnerabilities.
The remaining two vulnerabilities have not been fixed, but they were addressed by introducing a customer-configurable security setting, which shifts the responsibility to users to implement their own protections. These are:
- CVE-2025-43697: Improper preservation of permissions vulnerability in Data Mappers allows exposure of encrypted data
- CVE-2025-43698: Improper preservation of permissions vulnerability in Salesforce FlexCards allows bypass of field-level security controls for Salesforce objects
Example of Salesforce industry cloud scan results. Source: AppOmni
Working in collaboration with Salesforce, AppOmni provided mitigation recommendations for both CVE-2025-43697 and CVE-2025-43698.
For the former vulnerability, AppOmni recommended to enforce FLS for all Data Mappers organization-wide:
- From Setup, enter Omni Interaction Configuration and select Feature Settings > Omni Interaction > Omni Interaction Configuration
- Select New Omni Interaction Configuration
- For Name and Label, enter EnforceDMFLSAndDataEncryption. For the Value field, enter true
For the latter vulnerability, AppOmni advised organizations to enable an Omni Interaction Configuration setting, EnforceDMFLSAndDataEncryption, to ensure that only users with the ‘View Encrypted Data’ permission may see the plaintext value of fields returned by the Data Mapper. Here are the main steps to do this:
- From Setup, enter Omni Interaction Configuration and select Feature Settings > Omni Interaction > Omni Interaction Configuration
- Select New Omni Interaction Configuration
- For Name and Label, enter EnforceDMFLSAndDataEncryption. For the Value field, enter true
- Click Save
Regulatory Exposure Warning
AppOmni noted that because it is the customer's responsibility to securely configure these settings, a single missed setting could lead to the breach of thousands of records, with no vendor accountability.
Additionally, organizations subject to compliance mandates, such as the US Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX), as well as the EU’s and UK’s General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI-DSS), face real regulatory exposure from these gaps.
These findings come a few days after Google Cloud-owned Mandiant warned that English-speaking hackers, tracked as UNC6040 and associated with the collective known as The Com, were observed tricking companies into giving them widespread access to Data Loader, a Salesforce tool designed to help companies import, export and update large tranches of data within the Salesforce platform.
Photo credits: Tada Images/Shutterstock
No tags.
