Security researchers at AppOmni have discovered five zero-day vulnerabilities and 15 severe but avoidable misconfiguration traps in Salesforce Industry Cloud. These issues, if unaddressed, expose sensitive data to unauthorized access and threaten compliance across industries relying on Salesforce’s low-code architecture.
The findings affect core components used by tens of thousands of entites, many in regulated sectors such as healthcare, financial services, and government. The vulnerabilities were responsibly disclosed to Salesforce, which rapidly confirmed and remediated them. Three have been patched at the platform level. The remaining two require customer intervention.
If organizations don’t follow the instructions sent by Salesforce, these two vulnerabilities remain open, AppOmni warns.
Five CVEs: Zero-Days With Real Impact
The vulnerabilities reside in FlexCards and Data Mappers, widely used features in OmniStudio. These tools are central to workflow automation, but as AppOmni’s report reveals, their defaults prioritize usability over security.
FlexCard Vulnerabilities:
- CVE-2025-43698: SOQL data sources ignore field-level security, leaking hidden fields.
- CVE-2025-43699: Required permissions checks can be bypassed due to client-side validation.
- CVE-2025-43700: Encrypted fields return plaintext to users lacking ‘View Encrypted Data’ permission.
- CVE-2025-43701: Guest users can access values in Custom Settings.
Data Mapper Vulnerability:
- CVE-2025-43697: Extract actions return decrypted data and bypass field-level security by default.
Three of these flaws have been resolved behind the scenes by Salesforce. No action is required from customers. But two (the encrypted data exposure and guest access bugs) need configuration changes on the customer’s side to fully mitigate.
These are not edge-case bugs. They affect core logic used in routine CRM workflows. Left unresolved, they could lead to widespread data leakage.
Beyond CVEs: A Minefield of Misconfiguration Traps
The CVEs are just the start. AppOmni’s team also identified 15 design weaknesses and configuration pitfalls that aren’t classified as vulnerabilities, but may be just as dangerous in practice.
These issues stem from how Salesforce’s low-code features are deployed by customers, often without the oversight of trained security professionals.
Among the top concerns:
- Lack of field-level security enforcement in FlexCards and Data Mappers
- Data leaks via session variables and public caching mechanisms
- Exposure of hardcoded credentials in Integration Procedures
- Broadly accessible API tokens in OmniOut components
- Session data leakage through saved workflows with weak permissions
Each one can be traced back to a core tension in low-code platforms: flexibility vs. control. Salesforce gives customers powerful tools to build business logic without writing code. But that power comes with complexity. And when defaults are insecure (or misunderstood) the entire system can become vulnerable.
The Risk Is Real, And Likely Widespread
Salesforce’s industry clouds are popular for good reason. They offer speed, scale, and customizability. But according to AppOmni, many customers may already be running misconfigured instances without realizing it.
None of these require sophisticated exploitation, the researchers note, adding that they’re the kind of issues anyone can stumble into during normal use.
This is particularly concerning for organizations governed by regulatory frameworks like HIPAA, GDPR, SOX, or PCI-DSS. A single misstep (say, exposing encrypted health data to a user lacking permissions) could result in serious compliance failures or fines.
And the vendor won’t be held responsible. Under the shared responsibility model, configuration is the customer’s job.
What Customers Should Do Now
To reduce exposure, AppOmni recommends applying Salesforce’s latest guidance to fix the two customer-side vulnerabilities. Lock down sharing rules and field-level permissions for sensitive objects. Avoid public caching mechanisms when handling user-specific or confidential data. Review component permissions, particularly for FlexCards, Data Mappers, and OmniOut. Audit saved workflows to ensure session data isn’t exposed. Finally, treat low-code like code: test it, validate it, secure it.
Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit says based on the research, these Salesforce Industry Cloud vulnerabilities highlight a broader industry trend where low-code platforms present agility while trusting that customers will account for the security aspect.
“These five vulnerabilities are caused because of multiple reasons such as default configurations that prioritize usability over security, or information disclosure through improper access controls and encryption bypasses.
Dani says organizations should:
- Apply zero-trust network segmentation to OmniOut components, limiting API access only to verified IP ranges.
- Manage user access in Salesforce. They can do this by using Salesforce’s “Role Hierarchy Viewer” to identify overprivileged profiles.
- Enable regular profile audits. This can be done via “Permission Set Assignment” to streamline audits.
- Restrict “View Encrypted Data” to roles requiring decryption.
And security teams should:
- Upgrade OmniStudio to Spring 2025 (v254+) to access fixed components.
- For legacy systems, manually append USER_MODE to SOQL queries.
- Test in an UAT sandbox and enable security flags such as ApexClassCheck, EnableQueryWithFLS, CheckCachedMetadataRecordSecurity, EnforceDMFLSAndDataEncryption.
- Test UAT sandbox and enable additional flags such as ScaleCache=”User” or TurnOffScaleCache=”true”
Jason Soroko, Senior Fellow at Sectigo, adds that this research shows that Salesforce Industry Cloud brings a larger security burden than many tenants realize. “The team found five zero day flaws and fifteen easy-to-make misconfiguration traps in OmniStudio assets. Salesforce silently fixed three flaws, but two still need customer action or they stay exploitable. Missteps such as low code components that ignore access checks, public caching that leaks data, and off platform OmniOut apps that can expose API tokens create real risk, especially since about one quarter of all Salesforce customers depend on Industry Cloud. Default settings that feel convenient can end up handing attackers a clear path to sensitive records.”
Security teams should treat their industry cloud org as a production critical system that demands rigorous hardening, says Soroko. “Verify completion of the two customer side patches, then audit every FlexCard, Data Mapper, Integration Procedure, and saved workflow to be sure field level security and sharing rules are enforced. Disable public caching, rotate any tokens stored in components, and restrict workflow viewing to intended roles. Use continuous SaaS posture monitoring to catch weak defaults, run penetration style tests on new low code elements before they go live, log every off platform call, and maintain least privilege through granular profiles and permission sets. Staying in lockstep with fresh guidance from Salesforce and AppOmni will keep future issues from becoming tomorrow’s breach headline.”
A Salesforce spokesperson responded, adding: “Salesforce’s industry solutions are engineered with secure-by-default principles, and we are deeply committed to upholding the highest standards of trust and security for our customers. All issues identified in this research have been resolved, with patches made available to customers, and official documentation updated to reflect complete configuration functionality. We have not observed any evidence of exploitation in customer environments as a result of these issues.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.