More than 20 configuration-related security risks have been discovered in Salesforce Industry Cloud, potentially exposing sensitive customer and employee data to unauthorized users, cybersecurity researchers from AppOmni have reported.
The vulnerabilities do not stem from flaws in Salesforce’s core code but rather from how organizations configure their Salesforce Industry Cloud environments—particularly when using its suite of low-code development tools such as FlexCards, Integration Procedures (IProcs), OmniScripts, and Data Mappers.
According to AppOmni’s findings, incorrect configurations can bypass permission checks, allowing access to encrypted fields, user session data, and internal logic—leaving systems open to both internal and external exploitation.
Key Vulnerabilities Identified
The report highlights several high-risk misconfigurations that could have direct operational and compliance consequences:
- CVE-2025-43697: Disabling “Check Field Level Security” for Data Mappers could expose plaintext values of encrypted fields.
- CVE-2025-43698: SOQL data sources may bypass field-level security controls entirely.
- CVE-2025-43700 & CVE-2025-43701: FlexCards may disclose encrypted data or allow guest users to access sensitive configuration settings.
These flaws, if left unaddressed, could be leveraged by threat actors to extract confidential data, disrupt workflows, or compromise trust in digital services.
Regulatory and Compliance Concerns
AppOmni has warned that these misconfigurations represent substantial risk for organizations operating under strict data protection laws and compliance frameworks, including HIPAA, GDPR, SOX, and PCI-DSS.
“Because customers are responsible for securing their own configurations, a single oversight could result in a significant data breach—with minimal accountability on the vendor side,” AppOmni said in a statement.
To mitigate risks, Salesforce has issued updated configuration guidance and introduced a new security setting —EnforceDMFLSAndDataEncryption — which restricts plaintext access to encrypted fields unless a user has the “View Encrypted Data” permission.
Notably, this setting is not enabled by default.
Salesforce Statement
In response to the findings, a Salesforce spokesperson emphasized that the majority of the identified issues are due to misconfigurations, not platform vulnerabilities.
“All issues identified in this research have been resolved, with patches made available to customers,” the spokesperson said. “We have not observed any evidence of exploitation in customer environments.”
Salesforce also reiterated its commitment to working with the security community and noted that its official documentation has been updated to reflect the necessary configuration changes.
Recommended Actions for Organizations Using Salesforce
Organizations utilizing Salesforce Industry Cloud are urged to take immediate steps to secure their environments:
- Conduct a comprehensive configuration audit, focusing on FlexCards, Data Mappers, and IProcs.
- Enable EnforceDMFLSAndDataEncryption to protect encrypted data.
- Restrict guest user access to sensitive settings and components.
- Sanitize user input in custom-built controllers to prevent injection attacks.
- Stay informed by subscribing to Salesforce’s official security alerts and documentation updates.
About Author
