{"id":863456,"date":"2025-07-19T00:12:22","date_gmt":"2025-07-19T05:12:22","guid":{"rendered":"https:\/\/newsycanuse.com\/index.php\/2025\/07\/19\/salesforce-industry-cloud-riddled-with-configuration-risks\/"},"modified":"2025-07-19T00:12:22","modified_gmt":"2025-07-19T05:12:22","slug":"salesforce-industry-cloud-riddled-with-configuration-risks","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2025\/07\/19\/salesforce-industry-cloud-riddled-with-configuration-risks\/","title":{"rendered":"Salesforce Industry Cloud riddled with configuration risks"},"content":{"rendered":"<div>\n<div itemscope itemtype=\"http:\/\/schema.org\/Person\">\n<p><img loading=\"lazy\" decoding=\"async\" data-hero alt=\"Lucian Constantin\" src=\"https:\/\/www.csoonline.com\/wp-content\/uploads\/2025\/07\/945-0-84770000-1752876131-lucian_constantin-100942616-orig.png?w=150\" height=\"150\" width=\"150\">\t\t\t<\/p>\n<\/p><\/div>\n<div>\n<p><span><br \/>\n\t\t\t\tUpdated\t\t\t<\/span><\/p>\n<div>\n<p><span>News Analysis<\/span><\/p>\n<p><span>Jun 16, 2025<\/span><span>8 mins<\/span><\/p>\n<p><span><a href=\"https:\/\/www.csoonline.com\/cloud-security\/\">Cloud Security<\/a><\/span><span><span>Configuration Management<\/span><\/span><span><span>Data and Information Security<\/span><\/span><\/p>\n<\/div><\/div>\n<\/p><\/div>\n<article id=\"post-4006341\">\n<div>\n<div>\n<div>\n<h2>\n\t\t\t\tAppOmni researchers found 20 insecure configurations and behaviors in Salesforce Industry Cloud\u2019s low-code app building components that could lead to data exposure.\t\t\t<\/h2>\n<\/p><\/div>\n<div id=\"remove_no_follow\">\n<body><\/p>\n<div>\n<p>Salesforce Industry Cloud customers can easily misconfigure their deployments to enable attackers to access encrypted customer information, session data, credentials, and business logic, security researchers have found.<\/p>\n<p>The Salesforce Industry Cloud suite of vertical-aligned solutions includes a low-code platform that provides pre-built digital transformations tools for specific industries, such as financial services and manufacturing.<\/p>\n<p>Aimed at non-developers, low-code tools can allow \u201cnon-technical users to build logic that touches critical systems and sensitive customer and internal data,\u201d said Aaron Costello, chief of SaaS security research at AppOmni, in <a href=\"https:\/\/appomni.com\/blog\/low-code-high-stakes-salesforce-security\/\">a report that identified 20 misconfiguration risks<\/a> associated with Salesforce Industry Cloud\u2019s OmniStudio low-code offering.<\/p>\n<\/div>\n<div>\n<p>\u201cBut this empowerment can come at a cost with respect to security, drastically increasing the risk of misconfigurations by customers,\u201d Costello noted. \u201cThis combination of flexibility and implicit trust means that a customer misconfiguring one component, or overlooking one setting, can lead to system-wide data exposure.\u201d<\/p>\n<p>Among the risks identified by Costello and AppOmni were:<\/p>\n<ul>\n<li>Low-code components that do not enforce access control checks or respect encrypted data fields by default<\/li>\n<li>Workflow code that is executable by external or unauthenticated users<\/li>\n<li>Caching mechanisms that can lead to bypassed access controls<\/li>\n<li>Poorly developed off-platform applications that can result in API token theft<\/li>\n<li>Sensitive API keys and other data embedded directly into components that can be read without permissions<\/li>\n<li>Insecure permissions on saved workflows<\/li>\n<\/ul>\n<p>Of the <a href=\"https:\/\/go.appomni.com\/hubfs\/Research\/Salesforce-Industry-Clouds-Low-Code-High-Stakes.pdf?utm_campaign=14666311-Salesforce_Industry_Clouds_Low_Code_High_Stakes_FY26&#038;utm_source=AO-Blog&#038;utm_medium=button-bottom&#038;utm_content=June-2025\">20 misconfiguration risks identified by AppOmni<\/a>, Salesforce has issued CVEs and guidance to prevent five. The rest have been left to customers to avoid.<\/p>\n<\/div>\n<div>\n<h2 id=\"salesforce-issues-five-cves\">Salesforce issues five CVEs<\/h2>\n<p>The five CVEs Salesforce issued involve problems discovered in OmniStudio\u2019s FlexCards and Data Mappers components. Salesforce notified customers on May 19 about the issues.<\/p>\n<p>FlexCards, which fetch data from Salesforce and third-party sources for use in workflows or for display in customer-facing web views, accounted for four of the CVEs:<\/p>\n<ul>\n<li>CVE-2025-43698: The SOQL data source ignores field-level security (FLS), exposing all field data for records.<\/li>\n<li>CVE-2025-43699: The \u201cRequired Permissions\u201d field can be bypassed due to the check being performed client-side.<\/li>\n<li>CVE-2025-43700: The \u201cView Encrypted Data\u201d permission is not enforced, returning plaintext values for data that uses Classic Encryption to unauthorized users.<\/li>\n<li>CVE-2025-43701: Allows Guest Users to access values for Custom Settings.<\/li>\n<\/ul>\n<p>Data Mappers is a feature available as an option for FlexCards datasources or as an action as part of back-end Integration Procedures (IProcs) for server-side data processing. Data Mappers read and transform data into formats suitable for use in APIs or Salesforce objects.<\/p>\n<\/div>\n<div>\n<p>Costello found that two of the four Data Mapper types \u2014 Extract and Turbo Extract \u2014 do not enforce FLS by default and return plaintext data of encrypted values to users without permissions to see them. Salesforce assigned CVE-2025-43697 to this issue.<\/p>\n<p><em><strong>Update June 25: <\/strong><\/em>Salesforce published\u00a0<a href=\"https:\/\/www.salesforce.com\/blog\/introduction-your-trust-is-our-foundation\/\">a blog post<\/a>\u00a0detailing the changes the company made to these functionalities and the mitigations they added in response to these five vulnerabilities.<\/p>\n<h2 id=\"additional-configuration-risks\">Additional configuration risks<\/h2>\n<p>Fifteen other configuration patterns can also have serious security implications for Salesforce Industry Cloud customers.<\/p>\n<\/div>\n<div>\n<p>For example, Data Mappers and IProc metadata are cached using a mechanism known as Scale Cache to speed up execution in the future. While users need Sharing Rules configured in order to execute Data Mappers or IProcs, Costello found that once they\u2019re cached, these components become executable by any user regardless of permissions.<\/p>\n<p>\u201cUnfortunately there is no configuration setting that allows for the use of the Scale Cache while also respecting Data Mapper security controls,\u201d Costello said. \u201cAfter thorough testing, including the enablement of the CheckCachedMetadataRecordSecurity OmniStudio setting, it was revealed that the only way to enforce authorization checks for Data Mappers is to turn the Scale Cache off completely.\u201d<\/p>\n<p>Integration Procedures also don\u2019t respect the \u201cRequired Permission\u201d setting nor the Sharing Rules of any Data Mapper or other IProc they call as part of their actions. This behavior is documented by Salesforce but is extremely risky, because users only need to satisfy the access control of the initial IProc to call any Data Mapper or IProc involved in its process flow.<\/p>\n<\/div>\n<div>\n<p>\u201cOrganizations may have widely accessible IProcs that call upon powerful actions under the misconception that the permission requirements of all of an IProc\u2019s actions will be evaluated for the calling user,\u201d Costello said.<\/p>\n<p>Another common configuration risk involves HTTP actions commonly used as part of IProcs to communicate with external APIs. If those APIs require authentication, organizations might decide to hardcode usernames and passwords or API access tokens directly into the body of the IProc. Anyone who can execute an IProc can also see the hardcoded values stored within. In many cases, this includes external users or even guest users who can execute IProcs in debug mode.<\/p>\n<p>FlexCards and IProcs support a data source type called Remote Actions that allows the execution of Apex classes. Apex is Salesforce\u2019s Java-like object-oriented language for building applications on its platform.<\/p>\n<\/div>\n<div>\n<p>When an OmniStudio component attempts to execute an Apex class through Remote Actions, the request is proxied through the <code>BusinessProcessDisplayController<\/code> Apex class, which includes a <code>GenericInvoke2NoCont<\/code> method. This method does not validate whether the calling user has permission to access the Remote Action.<\/p>\n<p>\u201cThis results in an authorization bypass which may allow for both internal and external users to execute powerful Apex code that runs without sharing or does not implement security measures such as FLS,\u201d Costello said, adding that this is the default behavior.<\/p>\n<p>Another feature that can generate sensitive information exposure is Data Packs, which can export and import components to other Salesforce instances. This feature leaves artefacts in the form of JSON definition files that can contain dependent objects such as IProcs that further contain Data Mappers.<\/p>\n<\/div>\n<div>\n<p>\u201cA user with read access rights to this object and excessively broad Sharing Rules will have the ability to download the Data Pack component JSON files that are stored within the \u2018Attachment\u2019 sObject,\u201d Costello said. \u201cNotably, since these attachments solely rely on access checks on the OmniDataPack\u2019s \u2018Id\u2019 field, users do not need any field-level permissions on the \u2018OmniDataPack\u2019 sObject to access these files, only permissions at the object and Sharing Rule level.\u201d<\/p>\n<p>Data Packs can also become orphaned, for example, if the user creating them presses the cancel button during the process. In this case, their attachments get created and never removed. Worse, they are not listed on the Data Packs inventory page in OmniStudio, making it harder for admins to detect them.<\/p>\n<p>When embedded in an external website, FlexCard or OmniScript components need an access token to access Salesforce. These tokens must be created using an OmniOut app. However, a website\u2019s end-user can inspect the API requests locally in their browsers and extract this token, which can then be misused. Costello recommends that companies use a proxy for communication between external OmniStudio components and Salesforce.<\/p>\n<\/div>\n<div>\n<p>A proxy, however, won\u2019t help when the token itself is embedded in OmniOut code that has been compromised or stored in public version control systems like GitHub. Furthermore, a proxy could introduce risks if it\u2019s poorly configured to forward requests without validation, as users could attempt to tamper with parameters and values.<\/p>\n<p>\u201cSince OmniOut typically relies on authenticated Salesforce APIs, this account requirement is satisfied by providing the OmniOut component with a Connected App access token which will be used to make requests on behalf of all external users,\u201d the researcher noted. \u201cWhile not explicitly stated in the Salesforce documentation that details the Connected App creation process, it\u2019s imperative that organizations do not generate an access token for OmniOut that is tied to a privileged account such as System Administrator.\u201d<\/p>\n<p>Finally, OmniScripts, which tie together multiple back-end operations through IProcs, Data Mappers, and FlexCards, have a feature called Saved Session that allows users to save their progress and return to the script later. When such sessions are generated, a record is created in the OmniScript Saved Session sObject along with any data entered or returned by the script until being saved. By default there is no expiration time for these saved sessions.<\/p>\n<\/div>\n<div>\n<p>\u201cAlthough Guest and\/or Community Site users do not have the ability to save their own sessions, it does not prevent them reading the data of other user sessions if they are granted the permissions to do so, making this attack vector a risk that could be taken advantage of by both internal and external identities,\u201d the researcher found.<\/p>\n<h2 id=\"mitigation\">Mitigation<\/h2>\n<p>For the insecure configurations that Salesforce has not already fixed, AppOmni provides mitigation recommendations in its paper, including a list of objects that should have their object, field, and Sharing Rule configurations routinely audited. Reducing the access level for OmniStudio sObjects and their records to only what\u2019s necessary is the first line of defense, the company said.<\/p>\n<\/div>\n<p><\/body><\/div>\n<\/p><\/div>\n<div id=\"rightrail-wrapper\">\n<p>\n\t\t\t\tSUBSCRIBE TO OUR NEWSLETTER\t\t\t<\/p>\n<h3>\n\t\t\t\tFrom our editors straight to your inbox\t\t\t<\/h3>\n<p>\n\t\t\t\tGet started by entering your email address below.\t\t\t<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4006341\/salesforce-industry-cloud-riddled-with-configuration-risks.html\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Updated News Analysis Jun 16, 2025 8 mins Cloud Security Configuration Management Data and Information Security AppOmni researchers found 20 insecure configurations and behaviors in Salesforce Industry Cloud\u2019s low-code app building components that could lead to data exposure. Salesforce Industry Cloud customers can easily misconfigure their deployments to enable attackers to access encrypted customer information<\/p>\n","protected":false},"author":1,"featured_media":863457,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[648,3997],"tags":[7377,19626],"class_list":{"0":"post-863456","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-industry","8":"category-salesforce","9":"tag-industry","10":"tag-salesforce"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/863456","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=863456"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/863456\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/863457"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=863456"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=863456"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=863456"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}