Salesforce patches five vulnerabilities in Industry Cloud Components
Take action: If you are using Salesforce industry cloud offerings, make sure to review your settings in Flexcard and DataMappers for the new security configuration. Then reach out to Salesforce support for the other 16 issues that the vendor claims are your problem.
Learn More
Salesforce has addressed multiple security vulnerabilities following a security assessment by Aaron Costello from AppOmni's SaaS security research team
The vulnerabilities primarily affect Salesforce Industries' core components, including Flexcards, Data Mappers, and related tools that form the backbone of the company's industry cloud offerings. These platforms provide both technical and non-technical users with low-code capabilities to build business logic that processes sensitive organizational data.
Salesforce's has assigned CVE identifiers to five vulnerabilities while classifying the remaining 16 discovered issues as customer-responsibility misconfigurations.
The assigned vulnerabilities are for Flexcard UI-building tools and Data Mapper functionality. Flexcards enable users to create custom user interfaces and data displays, while Data Mappers provide reading, transformation, and writing of Salesforce data across various business processes.
Assigned CVE Vulnerabilities:
- CVE-2025-43698 (CVSS score 9.1): SOQL data source vulnerability that exposes field data by completely ignoring field-level security permissions, representing the most critical flaw in the disclosure
- CVE-2025-43700 (CVSS score 7.5): Flexcard component returns sensitive data stored using Classic encryption in plaintext format to unauthorized users due to failure in enforcing View Encrypted Data permissions
- CVE-2025-43701 (CVSS score 7.5): Authentication bypass vulnerability that allows Guest Users to access values stored in Custom Settings without proper authorization
- CVE-2025-43697 (CVSS score 7.5): Data Mapper security weakness where Extract and Turbo Extract actions transmit encrypted data in plaintext to underprivileged users by failing to enforce field-level security by default
- CVE-2025-43699 (CVSS score 5.3): Client-side validation vulnerability enabling attackers to bypass the Required Permissions field through manipulation of client-side security checks
The remaining 16 misconfigurations that Salesforce declined to assign CVEs affect Integration Procedures, Data Packs, OmniOut, and OmniScript Saved Sessions.
Salesforce sent notifications to customers on May 19, 2025, and has fixed three of the five CVEs and implemented customer-configurable security settings for the remaining two vulnerabilities. For CVE-2025-43697 and CVE-2025-43698, the company introduced a new security setting called "EnforceDMFLSAndDataEncryption" that customers must manually enable to ensure proper field-level security enforcement and encrypted data protection.
All Salesforce customers received official notification of these vulnerabilities on May 19, 2025. The company claims there is no evidence of active exploitation in customer environments.
