Installer hijacking vulnerability reported in Salesforce CLI, allows SYSTEM-Level Access
Take action: Only download Salesforce CLI from official Salesforce distribution channels, never from third-party or untrusted sources that could contain malicious fake installers. If you already have Salesforce CLI installed, update to version 2.106.6 or later to ensure you have the patched version. If you are using Salesforce CLI, make sure to check your computers for possible infection.
Learn More
Salesforce is reporting a security vulnerability in its Command Line Interface (CLI) installer that enables attackers to achieve arbitrary code execution, privilege escalation, and complete SYSTEM-level access on Windows systems.
The Salesforce CLI is a tool used by developers and system administrators to automate interactions with the Salesforce platform, enabling script-based management of Salesforce configurations, data operations, and deployment processes
The vulnerability is tracked as CVE-2025-9844 (CVSS score 8.8) and affects the Windows installer executable (sf-x64.exe). It's caused by improper handling of executable file paths during the installation process. The installer fails to validate the execution path for auxiliary executables and dynamic link libraries (DLLs) during installation. When the installer executes, it attempts to load several executable files and auxiliary components from the current working directory before referencing the directory containing the legitimate installer files.
The attack uses the flaw by tricking users into downloading what appears to be an authentic Salesforce CLI installer from untrusted sources. Attackers craft malicious packages that include a fake sf-x64.exe installer alongside malicious executables that are named identically to legitimate helper binaries used during the installation process, such as sf-autoupdate.exe or sf-config.dll. When users execute the compromised installer, it implicitly trusts files in the local directory over system paths when launching these components.
The installer runs with elevated privileges by default, requiring administrative access to write registry keys to HKLM (HKEY_LOCAL_MACHINE) and create services under the LocalSystem account. As a result, when the malicious helper binary is executed, it inherits SYSTEM-level privileges, effectively bypassing user-level restrictions and providing attackers with complete control over the target host.
Affected versions are all Salesforce CLI versions prior to 2.106.6
Salesforce has released version 2.106.6 of the CLI installer, which patcches CVE-2025-9844 by implementing proper validation of executable paths and hardcoding absolute file paths for auxiliary components.
But since the attack relies on users downloading the installer from untrusted sources, having a patched version doesn't help much, because the attack will continue from untrusted sources with the older vulnerable versions.
Users should upgrade to version 2.106.6 or later, but MUCH MORE IMPORTANT, to ensure installations are obtained exclusively from official Salesforce distribution channels.
