Salesforce Cloud Exposed by Zero-Days and Misconfigurations

Article Highlights
Off On

Critical Vulnerabilities in Salesforce Cloud Components

The revelation of critical vulnerabilities in Salesforce’s cloud components has sparked significant concerns about data security and regulatory compliance. Five zero-day vulnerabilities, alongside over 20 misconfigurations, have been uncovered by cybersecurity researcher Aaron Costello, Chief of SaaS Security Research at AppOmni. These vulnerabilities threaten the security of Salesforce’s widely-used industry cloud offerings, which are integral tools for businesses designing industry-specific applications. In particular, flaws in configurations could potentially expose sensitive data, including employee and customer information. These newly discovered security lapses highlight the intricate challenges faced by organizations relying on cloud services, emphasizing the necessity for diligent oversight and regular security evaluations.

Vulnerabilities and Misconfigurations

In June, Costello brought to light various security issues plaguing Salesforce’s OmniStudio suite, a component of its industry cloud offerings. Key products like FlexCards, Integration Procedures, and Data Mappers were found vulnerable. Misconfigurations in these elements invite opportunities for unauthorized data access, creating loopholes for malicious actors to exploit sensitive information such as session logs and credentials. Although Salesforce’s Vlocity suite remains unscathed, Costello warned that similar risks loom, given its shared feature sets with OmniStudio. AppOmni’s findings prompted Salesforce to act swiftly, addressing identified vulnerabilities by assigning them Common Vulnerabilities and Exposures (CVE) identifiers.

The five vulnerabilities identified were notably severe. Three have already been resolved by Salesforce, while the remaining two await customer-configurable security settings to bolster defenses. Particularly, CVE-2025-4399, CVE-2025-43700, and CVE-2025-43701 involving FlexCards were promptly fixed. These flaws ranged from insufficient enforcement of required permissions to allowing guest user access to sensitive settings. In contrast, CVE-2025-43697 and CVE-2025-43698, impacting Data Mappers and FlexCards respectively, require additional user intervention to secure data effectively, underscoring the importance of an organization’s active role in maintaining its cybersecurity posture.

Salesforce’s Response and Recommendations

In response to the vulnerabilities, Salesforce has proactively communicated with its customers, disseminating patches and updated documentation to ensure all configurations are correctly addressed. The expedient resolution of three FlexCards vulnerabilities demonstrates Salesforce’s commitment to securing its cloud offerings. Salesforce assures that there has been no exploitation of these gaps in customer environments. However, the firm has implemented user-configurable settings to deal with the remaining two vulnerabilities, putting the onus on customers to enact necessary security measures.

To address these issues, AppOmni has provided specific guidelines to mitigate risks associated with Data Mappers and FlexCards. Customers are advised to enforce Field Level Security (FLS) and data encryption through Salesforce’s Omni Interaction Configuration. Detailed steps include setting up new configurations to enhance protections, ensuring only authorized users can access encrypted data without compromising the system’s integrity. Such measures are crucial to safeguard against potential breaches, protecting sensitive organizational and client data.

Regulatory Implications and Recent Security Concerns

The findings from AppOmni also highlight the significant regulatory risks posed by these security lapses. Organizations governed by compliance frameworks such as HIPAA, SOX, GDPR, and PCI-DSS face increased exposure if configurations are improperly handled. A single oversight in settings could result in massive data breaches, incurring severe legal and financial repercussions. The shift of responsibility to customers for securing configurations underscores the growing complexity of balancing usability with security in cloud-based environments.

The timing of these revelations parallels findings by Google Cloud’s Mandiant, which warned of cyber threats from groups manipulating Salesforce’s Data Loader tool. Such incidents reinforce the urgency for organizations to rigorously monitor and secure their cloud interfaces. As cyber threats evolve, vigilance and proactive security measures are vital. Companies must remain acutely aware of their role in maintaining secure systems and stay updated on potential vulnerabilities to safeguard against emerging threats. This approach helps mitigate risks associated with data breaches, ensuring compliance with stringent regulatory standards.

Ensuring Future Security and Compliance

In June, Costello highlighted critical security issues within Salesforce’s OmniStudio suite, part of its industry cloud services. Vulnerabilities were discovered in major components like FlexCards, Integration Procedures, and Data Mappers, due to misconfigurations that permit unauthorized data access, posing risks to sensitive data like session logs and credentials. Although the Vlocity suite was intact, Costello cautioned about potential threats given shared features with OmniStudio. AppOmni’s report urged Salesforce to act quickly, addressing vulnerabilities by assigning Common Vulnerabilities and Exposures (CVE) identifiers. Among five severe vulnerabilities detected, three have been resolved by Salesforce, while two await enhanced security settings managed by customers. Specifically, CVE-2025-4399, CVE-2025-43700, and CVE-2025-43701 linked to FlexCards were addressed, focusing on insufficient permission enforcement and unwanted guest user access. Conversely, CVE-2025-43697 and CVE-2025-43698 in Data Mappers and FlexCards demand further user action for data security, highlighting the crucial role organizations play in bolstering their cybersecurity defenses.

Explore more

Wix and ActiveCampaign Team Up to Boost Business Engagement

In an era where businesses are seeking efficient digital solutions, the partnership between Wix and ActiveCampaign marks a pivotal moment for enhancing customer engagement. As online commerce evolves, enterprises require robust tools to manage interactions across diverse geographical locations. This alliance combines Wix’s industry-leading website creation and management capabilities with ActiveCampaign’s sophisticated marketing automation platform, promising a comprehensive solution to

Can Coal Plants Power Data Centers With Green Energy Storage?

In the quest to power data centers sustainably, an intriguing concept has emerged: retrofitting coal plants for renewable energy storage. As data centers grapple with skyrocketing energy demands and the imperative to pivot toward green solutions, this innovative idea is gaining traction. The concept revolves around transforming retired coal power facilities into thermal energy storage sites, enabling them to harness

Can AI Transform Business Operations Successfully?

Artificial intelligence (AI) has emerged as a foundational technology poised to revolutionize the structure and efficiency of business operations across industries. With the ability to automate tasks, predict outcomes, and derive insights from vast datasets, AI presents an opportunity for transformative change. Yet, despite its promise, successfully integrating AI into business operations remains a complex undertaking for many organizations. Businesses

Is PayPal Revolutionizing College Sports Payments?

PayPal has made a groundbreaking entry into collegiate sports by securing substantial agreements with the NCAA’s Big Ten and Big 12 conferences, paving the way for student-athletes to receive compensation via its platform. This move marks a significant evolution in PayPal’s strategy to position itself as a leading financial services provider under CEO Alex Criss. With a monumental $100 million

Zayo Expands Fiber Network to Meet Rising Data Demand

The increasing reliance on digital communications and data-driven technologies, such as artificial intelligence, remote work, and ongoing digital transformation, has placed unprecedented demands on the fiber infrastructure industry. Projections indicate a need for nearly 200 million additional fiber-network miles by 2030 to prevent bandwidth shortages, putting pressure on companies like Zayo. As a prominent provider in the telecom infrastructure sector,