Thousands of organizations at risk by Salesforce Industry Cloud bugs

Five zero-days and 15 misconfigurations were discovered by AppOmni researchers in the low-code Salesforce Industry Cloud, bugs that could lead to unauthorized access to encrypted fields, session stealing, credentials, and business logic at “tens of thousands” of organizations.

The Salesforce Industry Cloud consists of a substantial portion of Salesforce.com’s total customer base of 150,000, and roughly 25% of AppOmni’s customer base. AppOmni claims to support 25% of Fortune 100 companies.

Customers use the Salesforce Industry Cloud to deploy pre-built applications, best practices, templates, workflows, and data models that are designed with a specific industry in mind. These services are managed by Vlocity, a company Salesforce acquired in 2020, now known as Salesforce Industries.

AppOmni’s Aaron Costello, the company’s chief of SaaS security research, said once he notified Salesforce to address his findings, Salesforce collaborated with AppOmni to issue updates.

According to his June 10 blog, Costello said Salesforce issued CVEs for five of his findings — fixing three via auto-updates — and issuing configuration guidance for the other two that require customer action. The remaining configuration risks are the responsibility of customers to address, said Costello.

“Three of these issues have been entirely fixed, requiring no customer action,” said Costello. “The other two vulnerabilities were tackled through the introduction of a customer-controllable security setting, therefore requiring customers to take measures to keep themselves secure. And both of their sections have since had their remediation subsections updated to reflect these new controls.”

The CVE’s that Salesforce fixed via auto-update are CVE-2025-43699, CVE-2025-43700, and CVE-2025-43701. The CVEs that teams must fix are the following: CVE-2025-43697 and CVE-2025-43698.

Nic Adams, co-founder and CEO at 0rcus, said the flaws identified by AppOmni are potentially catastrophic because they enable plaintext extraction of encrypted values, bypass permission checks at client runtime, and elevate privileges without audit logs. They also allow for session token replay via cached endpoints, remote code invocation through manipulated parameters, and blind lateral movement across tenants.

Adams said security teams must must isolate the industry cloud modules, enforce server-side ACLs, revoke all active tokens, disable vulnerable components, deploy inline request validation, and conduct adversarial replay tests on every critical workflow.

“Low-code environments amplify risk via unchecked component composition, default-permission inheritance, exposed API gateways, implicit trust zones, invisible caching loopholes, and context-switch vulnerabilities,” said Adams. “Non-technical users often overlook threat models, skip permission hardening, misroute execution contexts, embed static credentials, ignore input validation, and fail to audit change histories, which can turn powerful abstractions into weaponized code.”

Jason Soroko, senior fellow at Sectigo, added that AppOmni’s research shows that the Salesforce Industry Cloud brings a larger security burden than many tenants realize. Soroko while the AppOmni team found five zero-day flaws and 15 easy-to-make misconfiguration traps in the OmniStudio assets, missteps such as low-code components that ignore access checks, public caching that leaks data, and off-platform OmniOut apps that can expose API tokens create real risk.

“Default settings that feel convenient can end up handing attackers a clear path to sensitive records," Soroko said.

Soroko said security teams should treat their industry cloud org as a production critical system that demands rigorous hardening. He said teams should verify completion of the two customer side patches, then audit every Salesforce FlexCard, Data Mapper, Integration Procedure, and saved workflow to make sure field level security and sharing rules are enforced.

Snir Ben Shimol, co-founder and CEO of Zest Security, said teams should consider this another wake-up call that traditional vulnerability management isn’t built for today’s cloud environments. Shimol said risk doesn’t stop at patchable CVEs, especially when third-party platforms like Salesforce introduce a mix of zero-days, misconfigurations, and user-driven customization.

Shimol said in these cases, teams often can’t remediate the risk directly, so a mature strategy must go beyond scanning. That means treating security as a layered discipline:

“Relying solely on vendor security in a shared-responsibility world is a risk in itself,” said Shimol. “You need visibility, control, and clear ownership, especially when third-party vendors are in place."