Cybersecurity researchers have uncovered over 20 configuration-related risks affecting Salesforce Industry Cloud (aka Salesforce Industries), exposing sensitive data to unauthorized internal and external parties.
The weaknesses affect various components like FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions.
“Low-code platforms such as Salesforce Industry Cloud make building applications easier, but that convenience can come at a cost if security isn’t prioritized,” Aaron Costello, chief of SaaS Security Research at AppOmni, said in a statement shared with The Hacker News.
These misconfigurations, if left unaddressed, could allow cybercriminals and unauthorized to access encrypted confidential data on employees and customers, session data detailing how users have interacted with Salesforce Industry Cloud, credentials for Salesforce and other company systems, and business logic.
Following responsible disclosure, Salesforce has addressed three of the shortcomings and issued configuration guidance for another two. The remaining 16 misconfigurations have been left to the customers to fix them on their own.
The vulnerabilities that have been assigned CVE identifiers are listed below –
- CVE-2025-43697 (CVSS score: N/A) – If ‘Check Field Level Security’ is not enabled for ‘Extract’ and ‘Turbo Extract Data Mappers, the ‘View Encrypted Data’ permission check is not enforced, exposing cleartext values for the encrypted fields to users with access to a given record
- CVE-2025-43698 (CVSS score: N/A) – The SOQL data source bypasses any Field-Level Security when fetching data from Salesforce objects
- CVE-2025-43699 (CVSS score: 5.3) – Flexcard does not enforce the ‘Required Permissions’ field for the OmniUlCard object
- CVE-2025-43700 (CVSS score: 7.5) – Flexcard does not enforce the ‘View Encrypted Data’ permission, returning plaintext values for data that uses Classic Encryption
- CVE-2025-43701 (CVSS score: 7.5) – FlexCard allows Guest Users to access values for Custom Settings
Put simply, attackers can weaponize these issues to bypass security controls and extract sensitive customer or employee information.
AppOmni said CVE-2025-43967 and CVE-2025-43698 have been tackled through a new security setting called “EnforceDMFLSAndDataEncryption” that customers will have to enable to ensure that only users with the “View Encrypted Data” permission may see the plaintext value of fields returned by the Data Mapper.
“For organizations subject to compliance mandates such as HIPAA, GDPR, SOX, or PCI-DSS, these gaps can represent real regulatory exposure,” the company said. “And because it is the customer’s responsibility to securely configure these settings, a single missed setting could lead to the breach of thousands of records, with no vendor accountability.”
When reached for comment, a Salesforce spokesperson told The Hacker News that a vast majority of the issues “stem from customer configuration issues” and are not vulnerabilities inherent to the application.
“All issues identified in this research have been resolved, with patches made available to customers, and official documentation updated to reflect complete configuration functionality,” the company said. “We have not observed any evidence of exploitation in customer environments as a result of these issues.”
The disclosure comes as security researcher Tobia Righi, who goes by the handle MasterSplinter, disclosed a Salesforce Object Query Language (SOQL) injection vulnerability that could be exploited to access sensitive user data.
The zero-day vulnerability (no CVE) exists in a default aura controller present in all Salesforce deployments, arising as a result of a user-controlled “contentDocumentId” parameter that’s unsafely embedded into “aura://CsvDataImportResourceFamilyController/ACTION$getCsvAutoMap” that creates a pathway for SOQL injection.
Successful exploitation of the flaw could have enabled attackers to insert additional queries through the parameter and extract database contents. The exploit could be further augmented by passing a list of IDs correlated to ContentDocument objects that are not public so as to gather information about uploaded documents.
The IDs, Righi said, can be generated by means of a publicly-available brute-force script that can generate possible previous or next Salesforce IDs based on a valid input ID. This, in turn, is made possible owing to the fact that Salesforce IDs do not actually provide a security boundary and are actually somewhat predictable.
“As noted in the research, after receiving the report, our security team promptly investigated and resolved the issue. We have not observed any evidence of exploitation in customer environments,” the Salesforce spokesperson said. “We appreciate Tobia’s efforts to responsibly disclose this issue to Salesforce, and we continue to encourage the security research community to report potential issues through our established channels.”
