Cybersecurity researchers have discovered over 20 configuration-related risks affecting Salesforce Industry Cloud (aka Salesforce Industries), exposing sensitive data to fraudulent internal and external stakeholders.
The weaknesses affect a variety of components such as flexcards, data mappers, integration procedures (IPROCS), data packs, Omniout, and Omniscript retention sessions.
“Low code platforms such as Salesforce Industry Cloud make building applications easier, but the convenience costs when security is not prioritized,” said Appomni’s chief of SaaS Security Research in a statement shared with Hacker News.
These misconceptions allow unadapted access to sensitive data about employees and customers to cybercriminals and unauthorized encrypted sensitive data, allowing session data detailing how users interact with clouds in the Salesforce industry, Salesforce and other corporate systems, and how business logic.
Following responsible disclosure, Salesforce addressed three shortcomings and issued two more configuration guidance. The remaining 16 misconceptions are left to the client to fix them themselves.
Vulnerabilities assigned to CVE Identifiers are listed below –
- CVE-2025-43697 (CVSS Score: N/A) – If “Check Field Level Security” is not enabled in Extract and Turbo Extract Data Mapper, “(encrypted data) permission checks are not enforced and the cleartext value of the encrypted field is exposed to users who can access a particular record.
- CVE-2025-43698 (CVSS Score: N/A) – SOQL Data Source bypasses field-level security when retrieving data from a SALEFORCE object
- CVE-2025-43699 (CVSS score: 5.3) – FlexCard does not enforce the “Required Permissions” field of Omniulcard objects
- CVE-2025-43700 (CVSS score: 7.5) – FlexCard “returns the plar text value of data that uses classic encryption without enforcing permission (View encrypted data)
- CVE-2025-43701 (CVSS Score: 7.5) – FlexCard allows guest users to access the values of custom settings
Simply put, attackers can weaponize these issues, bypassing security controls and extracting sensitive customer or employee information.
According to Appomni, CVE-2025-43967 and CVE-2025-43698 are being addressed through a new security setting called “endforcedMflsandDataEncryption,” in which only users who say “only customers are “enforced” must be enabled to secure only customers to ensure that only customers have “views” values of plains in the fields returned to the Data Mapper.
“For organizations that are subject to compliance delegation such as HIPAA, GDPR, SOX, PCI-DSS, and other organizations, these gaps can represent actual regulations exposure,” the company said. “And since it’s the customer’s responsibility to safely configure these settings, one missed setting can be non-existent in the vendor’s accountability and could lead to thousands of records violations.”
When it reached the comment, a Salesforce spokesperson told Hacker News that the majority of the issues were “derived from customer configuration issues” and that they were not vulnerabilities inherent in the application.
“All issues identified in this study have been resolved, patches are now available to customers, and official documentation has been updated to reflect the full configuration capabilities,” the company said. “As a result of these issues, no evidence of exploitation in the customer environment has been observed.”
This disclosure is that security researcher Tobia Righi, who uses the handle Mastersplinter, has disclosed a Salesforce Object Language (SOQL) injection vulnerability that could be exploited to access sensitive user data.
Zero-day vulnerabilities (no CVE) exist in the default aura controller that exists in all Salesforce deployments. This is the result of the user-controlled “contentdocumentid” parameter.
The successful exploitation of the flaws could allow the attacker to insert additional queries via parameters, allowing the database to be extracted. Exploits can be further enhanced by passing a list of IDSs correlated to unpublished ContentDocument objects to gather information about uploaded documents.
According to Righi, the ID can be generated by an exposable brute force script that can generate possible previous or next Salesforce IDs based on a valid input ID. This is possible in turn by the fact that Salesforce ID does not actually provide security perimeters and is actually somewhat predictable.
“As mentioned in the study, after receiving the report, our security team quickly investigated and resolved the issue. We have not observed any evidence of exploitation in the customer environment,” a Salesforce spokesperson said. “We are grateful for Tobia’s efforts to responsibly disclose this issue to Salesforce, and continue to encourage the security research community to report potential issues through established channels.”
