Salesforce industry cloud flaws put sensitive data at global risk

Security researchers from AppOmni have identified more than 20 security issues, including several zero-day vulnerabilities, in Salesforce industry clouds, putting data held by thousands of organisations at risk of exposure.

The findings concern core features of Salesforce's industry-specific cloud suite, which is widely used by companies in sectors such as finance, healthcare, government, and telecommunications. These vulnerabilities and configuration risks have the potential to expose a vast array of sensitive information, including names, email addresses, home addresses, financial records, and healthcare information. The issues also include the theft of login credentials, which attackers could use to gain further access to other company systems.

The vulnerabilities were uncovered by Aaron Costello, Chief of SaaS Security Research at AppOmni. According to Costello's research, misconfigurations in Salesforce industry clouds' default settings can allow unauthorised actors to bypass access controls, decrypt sensitive data, exploit caching mechanisms to leak information, and steal session data and API tokens.

AppOmni reported these findings to Salesforce, which has since issued five Common Vulnerabilities and Exposures (CVEs), addressing three vulnerabilities with patches and providing guidance to mitigate two others. The remaining 16 identified risks are configuration-related, requiring customers to take direct action.

High-risk vulnerabilities

The most severe of the vulnerabilities affect core Salesforce components known as FlexCards and Data Mappers. Among the CVEs, two require manual patching by customers:

• CVE-2025-43697: Data Mapper's 'Extract' and 'Turbo Extract' actions do not enforce field-level security by default and can return unencrypted data to unauthorised users.
• CVE-2025-43698: FlexCard's SOQL data source fails to enforce field-level security, exposing all data fields on returned records.

The other CVEs involve permission bypasses: FlexCard's required permissions can be circumvented, encryption checks are not correctly enforced, guest users can access sensitive values, and default configurations may expose data to those without the necessary credentials.

Approximately 25% of AppOmni's observed customers using Salesforce industry clouds were found to be at risk of making sensitive data publicly accessible due to these vulnerabilities and misconfigurations.

Industry-wide impact

Thousands of companies globally could be affected, as Salesforce industry clouds are deployed in organisations of all sizes and across a range of industries. The nature of the vulnerabilities is such that any sensitive data held in these systems could be exposed if the environments are not properly secured.

In describing the implications, Aaron Costello said:

"Low-code platforms such as Salesforce Industry Cloud make building applications easier, but that convenience can come at a cost if security isn't prioritised. My research highlights how simple misconfigurations can create serious risks, not just within Industry Cloud but across an organisation's entire Salesforce environment. By understanding these risks and applying best practices, companies can fully leverage Industry Cloud's capabilities without exposing themselves to unnecessary threats."

Joel Wallenstrom, General Manager at AppOmni, also highlighted broader concerns around software as a service (SaaS) security:

"SaaS apps dominate the world, yet SaaS security remains years behind. Everyone freaks out over an open S3 bucket, yet misconfigured SaaS apps are everywhere and barely get noticed. That has to change. At RSA, JPMC CISO Pat Opet called for real leadership to address systemic SaaS risks. Aaron Costello's research answers that call, helping customers secure Salesforce Industry Cloud configurations. At AppOmni, we're proud to drive SaaS security forward—built by hackers, for defenders. We're committed to helping customers reduce risk and grateful to the Salesforce security team for collaborating to bring this research to our shared customers."

Mitigation steps

The research paper from AppOmni details a number of actions that organisations should take to secure their Salesforce industry clouds environments. Essential steps include locking down sharing rules, tightening field-level access for industry cloud objects, hardening powerful components through additional permissions, updating default settings to minimise risk, and applying regular patches provided by Salesforce.

The findings also emphasise the maturity gap in SaaS security, noting that security is not optional and must be treated with the same discipline as traditional software development. For organisations operating under regulatory regimes such as HIPAA, GDPR, SOX, or PCI-DSS, the risks represent potential compliance failures and data breach liabilities.

AppOmni has released over 20 automated insights and detection mechanisms for its customers to help identify and correct risky Salesforce configurations. These tools are aligned to the security issues outlined in the research, enabling security and platform teams to address problems proactively.

Salesforce has published its own advisory to guide customers in remediating the reported issues. Customers using affected products are urged to review their configurations and apply necessary patches and best practices to mitigate the risk of data exposure.