CVE-2025-43697
📋 TL;DR
A vulnerability in Salesforce OmniStudio DataMapper allows unauthorized access to encrypted data due to improper permission preservation. This affects Salesforce customers using OmniStudio DataMapper components before the Spring 2025 release. Attackers could potentially view sensitive encrypted information they shouldn't have access to.
💻 Affected Systems
- Salesforce OmniStudio DataMapper
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all encrypted data stored in vulnerable DataMapper instances, potentially including sensitive customer information, financial data, or proprietary business data.
Likely Case
Partial exposure of encrypted data to unauthorized users within the Salesforce environment, potentially violating data segregation and compliance requirements.
If Mitigated
Minimal impact with proper access controls and monitoring, though the vulnerability still exists at the platform level.
🎯 Exploit Status
Exploitation requires some Salesforce platform knowledge and access to the vulnerable org. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Spring 2025 release or later
Vendor Advisory: https://help.salesforce.com/s/articleView?id=004980323&type=1
Restart Required: No
Instructions:
1. Upgrade Salesforce org to Spring 2025 release or later. 2. No additional patching required as fixes are automatically applied by Salesforce. 3. Verify DataMapper functionality post-upgrade.
🔧 Temporary Workarounds
Disable vulnerable DataMapper components
allTemporarily disable or restrict access to OmniStudio DataMapper components until patched
Implement additional access controls
allAdd extra permission layers and data access restrictions around DataMapper usage
🧯 If You Can't Patch
- Implement strict access controls and audit all DataMapper usage
- Monitor for unusual data access patterns and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check Salesforce org version in Setup > Company Information. If version is before Spring 2025 and uses OmniStudio DataMapper, it's vulnerable.Check Version:
Not applicable - check via Salesforce Setup interfaceVerify Fix Applied:
Verify org is on Spring 2025 or later release and test DataMapper functionality for proper permission enforcement.📡 Detection & Monitoring
Log Indicators:
- Unusual DataMapper access patterns
- Multiple failed permission checks on encrypted data
- Unexpected successful data decryption events
Network Indicators:
- Not applicable - internal Salesforce platform vulnerability
SIEM Query:
Salesforce Event Monitoring: Look for DataMapper events with unusual permission patterns or data access outside normal bounds