A new report from cybersecurity researchers has sounded the alarm on Salesforce's Industry Cloud, revealing more than 20 configuration-related vulnerabilities that place sensitive corporate and customer data at significant risk.
A jaw-dropping new report by AppOmni has exposed over 20 serious security flaws buried inside Salesforce’s Industry Cloud.
Hackers could hijack encrypted data and passwords in industries like healthcare and finance—all thanks to risky “low-code” shortcuts.
The very tools meant to make life easier have opened the door to digital disaster. Now, millions of records are dangling over the edge, and only urgent action can stop the next big breach.
Low-Code Convenience Meets High Risk
OmniStudio allows business users to create workflows, data integrations, and user interfaces using low-code tools. But the same simplicity that accelerates innovation can also obscure security implications. AppOmni’s research reveals how default settings, misunderstood permissions, and inadequate validation checks allow malicious actors to exploit system behavior in unintended ways.
According to Aaron Costello, Chief of SaaS Security Research at AppOmni, "Low-code platforms such as Salesforce Industry Cloud make building applications easier, but that convenience can come at a cost if security isn't prioritized."
AppOmni’s May 2025 report emphasizes that these are not traditional software bugs. Rather, they are design decisions and default configurations that rely too heavily on users doing everything correctly. This reliance introduces major risks when users lack the expertise to secure configurations properly.
Critical CVEs Identified
Out of the 20 configuration flaws found, five have been assigned CVE identifiers and formally recognized by Salesforce:
- CVE-2025-43697 (CVSS 7.5): When “Check Field Level Security” is disabled, Extract and Turbo Extract Data Mappers may expose plaintext values of encrypted fields to users with general record access.
- CVE-2025-43698 (CVSS 9.1): SOQL data sources in FlexCards bypass Field-Level Security, making hidden data visible.
- CVE-2025-43699 (CVSS 5.3): FlexCards do not enforce the “Required Permissions” field for the OmniUlCard object, allowing easy bypass.
- CVE-2025-43700 (CVSS 7.5): FlexCards disregard the “View Encrypted Data” permission, displaying sensitive data in plaintext.
- CVE-2025-43701 (CVSS 7.5): Guest Users can access Custom Settings values through improperly secured FlexCards.
As news of these vulnerabilities spreads, pressure is mounting on Salesforce to act swiftly. The scale and severity of the flaws have forced urgent changes, especially as critical industries demand reassurance that their sensitive data will remain safe. Salesforce has responded by releasing new security features to help customers lock down their environments before attackers can strike.
For example, to mitigate two of the most dangerous flaws (CVE-2025-43697 and CVE-2025-43698), Salesforce introduced a new setting called “Enforce DMFLS And Data Encryption.” When enabled, it ensures that only users with the proper “View Encrypted Data” permission can view decrypted field values.
Scale Cache and Chained Execution Risks
One of the most serious issues involves OmniStudio’s Scale Cache. While designed to improve performance by caching metadata, this feature undermines access controls. Once a component is cached, its metadata is reused for all users, even those who would otherwise lack access. AppOmni’s tests showed that enabling Salesforce’s recommended setting, CheckCachedMetadataRecordSecurity, does not sufficiently protect cached components.
Similarly, Integration Procedures often chain multiple Data Mappers and APIs. AppOmni found that if a user can execute a top-level IProc, they can also access every nested component, bypassing individual permission checks. This behavior is particularly dangerous when sensitive business logic or data transformation routines are embedded in the chain.
Token and Credential Exposure
Integration Procedures frequently involve external API calls. Developers often hardcode usernames, passwords, or tokens into the IProc body to ensure functionality. If executed in debug mode or misconfigured community portals, even guest users might retrieve these hardcoded credentials. This results in straightforward credential leakage.
OmniOut tokens, used to authorize FlexCards and OmniScripts on public websites, are often stored insecurely. Users inspecting browser network traffic can extract these tokens, gaining access to the underlying Salesforce environment. Worse, some tokens are tied to privileged accounts, multiplying the damage potential.
Apex Invocation Without Authorization
FlexCards and IProcs can use Remote Actions to call Apex classes via the BusinessProcessDisplayController proxy. AppOmni found that the controller’s GenericInvoke2NoCont method lacks proper authorization checks. This enables unauthorized users to trigger powerful Apex operations, possibly altering data or bypassing system-level restrictions.
This oversight represents a severe architectural flaw, especially since Apex classes often carry administrative privileges. Without proper gating, these low-code components provide a dangerous shortcut around security controls.
Orphaned Data Packs and Metadata Exposure
Salesforce’s Data Packs help developers migrate configurations by exporting components as JSON files. These are stored as attachments in Salesforce’s database. If improperly secured, attackers can download them and reverse-engineer sensitive logic or credentials.
If a Data Pack export is interrupted mid-process, it can leave behind orphaned JSON files. These invisible records may still be accessible if the Attachment object is not correctly restricted, allowing attackers to harvest metadata silently.
Guest User Overexposure
AppOmni’s research found that guest users can access more data than intended due to overly permissive sharing rules. For example, in OmniScripts, saved session data persists indefinitely and can be retrieved if object-level permissions are misconfigured. These records often contain personal data like loan applications or health plan details.
Salesforce states that guest users cannot save sessions. However, if sharing rules grant them read access, they can retrieve session records created by others. This loophole has major implications for regulatory compliance and user privacy.
Salesforce’s Response
Salesforce acknowledged the AppOmni report and confirmed that all disclosed issues have been addressed. “The vast majority of the issues stem from customer configuration issues and not vulnerabilities inherent to the application,” the company stated. Salesforce has released configuration guidelines and patches, and claims no evidence of active exploitation.
Still, the burden remains on customers to correctly configure the platform. For organizations under HIPAA, GDPR, SOX, or PCI-DSS, failing to do so could result in serious compliance failures.
A Separate Zero-Day Emerges
In a related disclosure, security researcher Tobia Righi revealed a SOQL injection vulnerability in Salesforce’s Aura controller. The issue arises from an unvalidated contentDocumentId parameter in the ACTION$getCsvAutoMap method. Attackers could exploit this flaw to inject additional queries and extract sensitive document metadata.
Righi explained that Salesforce IDs are predictable, making it easier to enumerate contentDocumentIds. By using brute-force scripts, attackers can target non-public documents and extract their details. Salesforce patched this issue after responsible disclosure and confirmed no active exploitation.
Broader Implications for Low-Code Security
The AppOmni report underscores a key issue in modern SaaS: secure-by-configuration versus secure-by-design. Salesforce OmniStudio opts for the former, giving users flexibility at the cost of protection. This model assumes that business users will configure components securely—a risky assumption.
Traditional security controls like firewalls and VPNs are irrelevant in these environments. The attack surface lies within the application and its configuration. Even a small oversight, like failing to restrict access to Attachment objects, can lead to widespread data exposure.
Recommendations for Enterprises
To address these risks, AppOmni recommends:
- Auditing all OmniStudio-related configurations including field-level and object-level permissions.
- Avoiding combinations like Scale Cache with Remote Actions unless absolutely necessary.
- Using secure proxies to handle token management and external API calls.
- Training business users and developers in secure design principles.
- Integrating SaaS security posture management (SSPM) tools to continuously monitor configurations and access patterns.
Security must be embedded in the development lifecycle, treating low-code artifacts like any other piece of software, with reviews, approvals, and compliance checks.
Final Thoughts
Salesforce Industry Cloud offers powerful tools for transformation. But as the AppOmni report makes clear, that power comes with responsibility.
Customers must understand that the platform’s default behaviors prioritize speed and ease, not security. If these systems are to be trusted with sensitive operations, security must be actively engineered into every workflow, component, and configuration.
Ultimately, secure low-code development is achievable. But it requires a culture of accountability, ongoing education, and robust tools to catch mistakes before they escalate. The message is clear: Salesforce provides the toolkit—it's up to each organization to build safely.
