Cybersecurity researchers have found more than 20 risks associated with configuration that affect Salesforce Industries), subjected to sensitive data of unauthorized internal and external parties.
A weakness Affect various components such as Flexcards, Mappers Data, integration procedures (IPROC), data packages, comprehensive and universal sessions.
“Low code platforms such as Cloud Salesforce Industry are facilitated by construction applications, but this convenience may come to costs if security is not prioritized,” said Aaron Castella, Saas AppMni Security Study, in a statement shared with Hacker News.
These erroneous configurations, if left without cancellation, can allow cybercriminals and unauthorized access to encrypted confidential data on employees and customers, session data detailing how users interacted with the SalesForce Industry Cloud, accounting data for Salesfort and other systems.
After the responsible disclosure of SalesForce information appealed to three shortcomings and made two more recommendations. The other 16 erroneous configurations left customers to fix them on their own.
Below are the vulnerabilities that were assigned to CVE IDs below –
- Cve-2025-43697 (CVSS Assessment: N/A) – If “check -level security” is not included for “extract” and “Turbo Extract Data Mappers,” Certified data “is not fulfilled by exposing Cleartext values for encrypted fields for users with access to this entry.
- Cve-2025-43698 (CVSS assessment: N/A) – SOQL data source bypass any security at level when obtaining data from Salesforce objects
- Cve-2025-43699 (CVSS assessment: 5.3) – Flexcard does not fulfill the “Required Permissions” field for Omniulcard object
- Cve-2025-43700 (CVSS Assessment: 7.5) – FlexCard does not execute “view encrypted data”, returning open text values for data that use classic encryption
- Cve-2025-43701 (CVSS assessment: 7.5) – Flexcard allows guests to access values for custom settings
Simply put, the attackers can equip these problems to bypass security control and obtain tangible customer information or employee.
Appomni saidEntorcedmflsandDataencry“What customers will have to include only users with the permission” view encrypted data “can see that the values of open field texts returned to Mapper Data.
“For organizations subject to compliance with mandates such as Hipaa, GDPR, Sox or PCI-DSS, these gaps can represent a real regulatory exposition,” the company said. “And since this is the client’s responsibility for reliable setting up these settings, the only missed installation can lead to a violation of thousands of records, without accounting the provider.”
Reaching on the comments, the SalesForce press press told Hacker News that the vast majority of questions are “followed by customer configuration” and is not a vulnerability of the application.
“All the issues identified in this study were resolved and the patches were available to the client, and the official documentation was updated to reflect the complete configuration functionality,” the company said. “We have not observed any evidence of exploitation in the clients’ environment as a result of these issues.”
Disclosure of information occurs as a Tobia Riga Safety Researcher that goes on the Mastersplinter handle, disclosed Salesforce (SOQL) objects ‘request is a vulnerability that can be used to access sensitive users’ sensitive data.
The vulnerability of the zero day (NO CVE) exists in the default Aura controller, which is present in all deployments of Salesforce, which result from the “Contentdocumentid” parameter controlled by users, which is dangerous in “Aura: // csvdataimportresoursefamily GetCsvautomap “, which creates a path for sorecection.
Successful lack of lack can allow the attackers to insert additional requests through the parameter and extract the contents of the database. Feat may be further completed By transmitting a list of IDs related to Contentdocument objects that are not publicly available to collect information about the downloaded documents.
IDs, according to Riga, can be generated by A Publicly Available Scenario Bruise This may create possible previous or subsequent SalesForce IDs based on a valid login identifier. This, in turn, was made possible by the fact that the Salesforce IDs do not really provide security and are actually somewhat predictable.
“As noted in the study, after receiving the report, our security group promptly investigated and decided this issue. We did not observe any evidence of customer exploitation,” said the Salesforce press. “We appreciate Tobia’s efforts to responsibly disclose this Salesforce issue, and we continue to encourage the Safety Research Community to report potential problems through our established channels.”
