- Cyber Syrup
- Posts
- Salesforce Industry Cloud Misconfigurations Expose Sensitive Data
Salesforce Industry Cloud Misconfigurations Expose Sensitive Data
Cybersecurity researchers have identified more than 20 configuration-related security issues within Salesforce
Sponsored by
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Looking for unbiased, fact-based news? Join 1440 today.
Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.
Salesforce Industry Cloud Misconfigurations Expose Sensitive Data
Cybersecurity researchers have identified more than 20 configuration-related security issues within Salesforce Industry Cloud, highlighting significant risks for customers who fail to secure their environments properly. The vulnerabilities affect key components such as FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions.
What’s at Risk?
These misconfigurations can allow unauthorized internal or external actors to access:
Encrypted employee and customer data
User session histories
Internal system credentials
Business logic and configurations
According to Aaron Costello, Chief of SaaS Security Research at AppOmni:
“Low-code platforms such as Salesforce Industry Cloud make building applications easier, but that convenience can come at a cost if security isn't prioritized.”
Key CVEs Identified
The following vulnerabilities have been assigned CVE identifiers:
CVE-2025-43697 – Missing field-level security checks can expose plaintext values of encrypted fields.
CVE-2025-43698 – SOQL data sources bypass field-level security entirely.
CVE-2025-43699 – FlexCard does not enforce required permissions on specific objects.
CVE-2025-43700 – FlexCard returns unencrypted data, even when Classic Encryption is used.
CVE-2025-43701 – Guest users can retrieve values from custom settings.
These vulnerabilities, if left unpatched, can be exploited to bypass access controls and expose sensitive information.
Fixes and Recommendations
Salesforce has addressed three of the issues and provided guidance for two more. The remaining misconfigurations must be corrected by customers themselves.
A new security setting called "EnforceDMFLSAndDataEncryption" has been introduced. When enabled, it ensures only users with the appropriate permissions can access decrypted data.
AppOmni warns:
“For organizations subject to HIPAA, GDPR, SOX, or PCI-DSS, a single missed setting could lead to regulatory breaches and thousands of compromised records.”
Salesforce stated that these are not software vulnerabilities, but rather customer configuration issues, and emphasized that no evidence of exploitation has been observed in the wild.
Related Discovery: SOQL Injection Flaw
Security researcher Tobia Righi discovered a SOQL injection vulnerability in a default aura controller that could allow attackers to exfiltrate data by manipulating an unsanitized contentDocumentId parameter. The flaw affected all Salesforce environments by default, although Salesforce patched it promptly following responsible disclosure.
The issue was compounded by the predictable nature of Salesforce ID generation, making brute-force enumeration possible.
Final Thoughts
This incident underscores a recurring theme in SaaS security: even powerful enterprise platforms like Salesforce are only as secure as their configuration. Organizations must:
Regularly audit and enforce security settings
Enable newly released security controls
Monitor access to sensitive data
Stay current on vendor advisories
In SaaS environments, misconfiguration is one of the leading causes of data exposure—and often one of the most preventable.