Company thanks AppOmni for recent research, says it is needed in order to improve products.
Salesforce has acknowledged recent vulnerability research into its Industry Cloud security and issued CVEs and fixes.
In a blog post, it said it invests in “rigorous security research through external initiatives” in order to improve products. Addressing recent research into vulnerabilities and misconfigurations in its Industry Clouds with AppOmni, it said: “Through a focused security evaluation of our OmniStudio product, AppOmni identified opportunities to enhance configurations.
“In partnership, we conducted a comprehensive analysis to assess the relevance of these findings, and Salesforce successfully implemented improvements tailored to our environment.”
Configuration Risks and Vulnerabilities
In research conducted by Aaron Costello, chief of SaaS security research at AppOmni, he was able to uncover more than 20 configuration-related risks in addition to the discovery of multiple zero-day vulnerabilities.
“These findings revealed how default settings and some insecure patterns that are the responsibility of the customers to configure and use correctly, can lead to unauthorised access to encrypted fields, session stealing, credentials, and business logic,” he said.
As a result, Salesforce has now issued CVEs for five of the findings – fixing three and issuing configuration guidance for the other two that require customer action. “The remaining sixteen configuration risks are the responsibility of customers to address,” Costello said.
Aaron Costello talked with SC UK’s senior editor Dan Raywood about the research and the findings.
The vulnerabilities are detailed as follows:
CVE-2025-43700 - Enhanced data masking for encrypted fields: AppOmni’s research uncovered a specific scenario involving OmniStudio FlexCards and the ComponentController Apex class where, under certain configurations, encrypted data could potentially be displayed in plaintext to users who did not possess the ‘View Encrypted Data’ permission. In response to this finding, Salesforce implemented robust enhancements to ensure that encrypted data is consistently and appropriately masked for all users.
CVE-2025-43701 - Strengthened protection for custom settings from guest users: Under specific configurations of FlexCard SOQL data sources, or through the ComponentController Apex class, guest users could potentially bypass existing platform-level security measures designed to prevent access to Custom Settings. Since Custom Settings often contain sensitive information, this presented a risk of unintended information disclosure to unauthenticated users. Salesforce addressed this by reinforcing the security mechanisms within OmniStudio.
CVE-2025-43698 - SOQL data source circumvents field-level security: The SOQL data source within FlexCards bypassed standard Salesforce Field-Level Security (FLS) during data retrieval. Consequently, users could gain access to field values even without explicit FLS permissions, potentially leading to the disclosure of sensitive information to unintended parties. Salesforce addressed this by ensuring the SOQL data source now respects and enforces Field-Level Security, thereby preventing unauthorised access to sensitive fields and strengthening data protection within OmniStudio.
CVE-2025-43697 - Unintended plaintext exposure via data mappers. AppOmni’s research identified that ‘Extract’ and ‘Turbo Extract’ Data Mappers could inadvertently expose plaintext values of Classic Encrypted fields without requiring the user executing the DataMapper to possess the ‘View Encrypted Data’ permission. This circumvented the intended access controls for encrypted data and occurred by default unless a specific configuration setting was enabled to prevent it. This has been addressed by ensuring DataMappers now respect the ‘View Encrypted Data’ permission and are also reinforcing the importance of enabling FLS checks.
CVE-2025-43699 - Enhanced permission validation for flexcards. AppOmni identified that the ‘Required Permission’ field, intended to restrict access to certain OmniStudio FlexCards, performed its validation client-side. This meant that while the permission check was effective when FlexCards were executed through the user interface, it could be bypassed if a FlexCard was invoked directly (e.g., via an API or background process), potentially allowing unauthorised users to gain access to sensitive data. This was addressed by implementing robust server-side permission validation for the ‘Required Permission’ field.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
