Recent research has revealed significant security vulnerabilities in Salesforce, affecting core components used by businesses across industries. AppOmni, a SaaS security platform, uncovered over 20 misconfigurations, along with several zero-day vulnerabilities that expose sensitive customer data to potential threats.
These risks largely stem from how Salesforce environments are configured. While Salesforce has issued fixes for several high-priority flaws, the majority of the vulnerabilities require customers to take action in order to protect their systems. Salesforce Industry Clouds, designed for industries like healthcare, finance, and telecommunications, offer low-code solutions that allow both technical and non-technical teams to create custom workflows. However, the flexibility of these platforms means that misconfigurations can have serious security consequences.
Salesforce Industry Clouds are built around powerful components like FlexCards, Data Mappers, and Integration Procedures. These features allow businesses to create and automate workflows, integrate data, and build advanced functionality—all with minimal coding effort. However, these features do not always enforce critical security measures by default.
For example, FlexCards were found to expose sensitive data without enforcing field-level security (FLS), which could allow unauthorized users to access private information (CVE-2025-43698). They also failed to correctly validate user permissions before executing actions, allowing for privilege escalation (CVE-2025-43699).
And within Data Mappers, which are used for extracting and transforming data, security checks were not always enforced by default and encrypted data was sometimes returned without proper authorization (CVE-2025-43697).
These vulnerabilities, among others, put organizations at risk for data breaches, privilege escalation, and unauthorized access to encrypted data.
Low-Code Platform Risk
Salesforce’s low-code platform provides a high degree of flexibility and speed, allowing businesses to innovate quickly, but the convenience can come with a trade-off where the ease of development can often result in security oversights. Many of these vulnerabilities stem from misconfigurations, where default settings don’t enforce proper security practices.
In sectors where data privacy and security are critical—such as healthcare, finance, and telecommunications—these misconfigurations can lead to serious consequences, including exposure of sensitive personal data and regulatory breaches. While low-code platforms are designed to be user-friendly, they still require careful configuration and ongoing security monitoring.
While Salesforce has issued fixes for some of the identified vulnerabilities, many risks still remain, and customers are responsible for properly securing their environments. Here are a few steps businesses can take to mitigate these risks:
- Enforce strict access controls: Ensure that only authorized users can access sensitive data and workflows.
- Regularly audit configurations: Periodically review Salesforce configurations and settings to ensure they align with best security practices.
- Update default settings: Where possible, adjust Salesforce’s default settings to prioritize security, such as by enforcing stronger encryption or restricting data access.
- Implement secure integrations: Ensure that any integrations or workflows involving third-party tools do not inadvertently expose data or credentials.
Salesforce Industry Clouds offer businesses powerful tools to innovate and streamline their operations, but low-code models introduce risks that organizations must actively manage. With proper configuration and diligent security practices, businesses can take full advantage of their capabilities while protecting their sensitive data.
For more detailed insights on the identified vulnerabilities and specific mitigation strategies, check out the full report from AppOmni here.
Leave a Reply