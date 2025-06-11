A cybersecurity researcher has uncovered five zero-day vulnerabilities and over 20 configuration risks in Salesforce’s cloud components.

On June 10, Aaron Costello, Chief of SaaS Security Research at AppOmni, released a new report sharing the findings of an investigation into Salesforce's industry cloud offerings – a suite of solutions designed to enable organizations to build industry-specific applications and workflows in a simplified, low-code manner.

These misconfigurations Costello identified could enable unauthorized individuals to access encrypted sensitive data, including employee and customer information, session logs detailing user interactions with Salesforce industry cloud, credentials for Salesforce and other corporate systems, as well as proprietary business logic.

The affected products, part of the Salesforce OmniStudio suite, include FlexCards, Integration Procedures (IProcs), Data Mappers, OmniScript Saved Sessions, Data Packs and OmniOut.

The Vlocity suite, another Salesforce industry-centric offering, is not affected. However, Costello noted, “many of the same risks exist in Vlocity due to the overlap in their feature sets.”

Five Vulnerabilities Found, Including Two Zero-Days

AppOmni disclosed Costello’s findings to Salesforce, which identified five issues as vulnerabilities and assigned them Common Vulnerabilities and Exposures (CVE) identifiers. Four of them affected FlexCards and one, Data Mappers.

Three of these issues, all affecting FlexCards, have been fully resolved and no longer require any action from customers:

CVE-2025-4399: FlexCards does not enforce the 'Required Permissions' field for the OmniUlCard object (CVSSv3 score: 5.3)

CVE-2025-43700: FlexCards does not enforce the 'View Encrypted Data' permission, returning plaintext values for data that uses Classic Encryption (CVSSv3 score: 7.5)

CVE-2025-43701: FlexCards allows Guest Users to access values for Custom Settings (CVSSv3 score: 7.5)

Once remediated, Salesforce sent an email communication to its customers on May 19, 2025, informing them of the vulnerabilities.

The remaining two vulnerabilities have not been fixed, but they were addressed by introducing a customer-configurable security setting, which shifts the responsibility to users to implement their own protections. These are: