Salesforce is facing renewed scrutiny over the security of its Industry Cloud platform after cybersecurity researchers uncovered more than 20 configuration-related weaknesses and five critical vulnerabilities that could expose sensitive business and personal data.
The flaws, identified by security firm AppOmni, affect multiple components within Salesforce Industry Cloud, including FlexCards, Data Mappers, Integration Procedures (IProcs), and other low-code development tools widely used across healthcare, finance, and the public sector.
“Low-code platforms such as Salesforce Industry Cloud make building applications easier, but that convenience can come at a cost if security isn’t prioritized,” said Aaron Costello, chief of SaaS Security Research at AppOmni.
If left unaddressed, configuration issues could allow unauthorized users, including threat actors, to gain access to encrypted customer and employee data, system credentials, session logs, and internal business logic.
Five CVEs Assigned
Five of the misconfigurations were assigned official CVE identifiers, with severity scores ranging from 5.3 to 9.1. The most critical, CVE-2025-43698, allows attackers to bypass field-level security in Salesforce Object Query Language (SOQL) queries, potentially revealing protected data.
Another vulnerability, CVE-2025-43701, permits guest users to access custom settings, while others return encrypted data in plaintext if specific permissions are not enforced.
Salesforce said it has addressed the server-side vulnerabilities and provided updated configuration guidance. However, some protections, such as a new setting called “EnforceDMFLSAndDataEncryption” must be manually enabled by customers.
A Salesforce spokesperson told reporters that the majority of issues stem from customer-side misconfigurations rather than flaws in the underlying application.
“All issues identified in this research have been resolved, with patches made available to customers and official documentation updated,” the spokesperson said. “We have not observed any evidence of exploitation in customer environments.”
Separate Zero-Day Disclosed
In a separate development, security researcher Tobia Righi—also known by the handle MasterSplinter—disclosed a zero-day vulnerability in Salesforce’s default Aura controller. The flaw, involving unsafe handling of a user-supplied parameter, could be exploited to perform a SOQL injection attack.
The vulnerability resides in the default “CsvDataImportResourceFamilyController,” which is present in all Salesforce deployments. By manipulating the contentDocumentId parameter, an attacker could extract document metadata from non-public records using brute-force ID generation.
Salesforce said it promptly resolved the issue following Righi’s responsible disclosure and reiterated that no exploitation had been detected.
Industry Concerns Rise
Security experts warn that the findings raise significant concerns for organizations governed by strict data protection rules such as HIPAA, GDPR, SOX, and PCI-DSS.
“Misconfigurations like these may seem minor, but in regulated environments, even one oversight can cascade into a major compliance failure,” said Costello. “And because customers are responsible for their own settings, the liability is often on them, not the vendor.”
AppOmni noted that low-code platforms introduce new risk categories, particularly when complex configurations intersect with sensitive data and default access permissions.
No Reports of Breaches—Yet
As of the publication date, no public incidents have been reported to be linked to these vulnerabilities. Still, security professionals are urging administrators to audit their Salesforce configurations immediately, apply all available patches, and enable recommended security settings.
The report follows a broader industry trend of intensified scrutiny over SaaS application security, particularly as organizations increasingly rely on third-party platforms to handle critical data and workflows.
