CVE-2025-9844
📋 TL;DR
This vulnerability allows attackers to replace trusted executables in Salesforce CLI on Windows by exploiting an uncontrolled search path element. Attackers can place malicious files in directories searched before legitimate ones, potentially executing arbitrary code. This affects Windows users running Salesforce CLI versions before 2.106.6.
💻 Affected Systems
- Salesforce CLI
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with the privileges of the Salesforce CLI user, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Local privilege escalation or execution of malicious payloads when users run Salesforce CLI from untrusted directories or with insufficient path protections.
If Mitigated
Limited impact if proper access controls, path restrictions, and user awareness prevent execution from untrusted locations.
🎯 Exploit Status
Exploitation requires local filesystem access and knowledge of search path behavior. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.106.6 or later
Vendor Advisory: https://help.salesforce.com/s/articleView?id=005224301&type=1
Restart Required: No
Instructions:
1. Open command prompt as administrator. 2. Run: sfdx update 3. Verify version with: sfdx --version (should show 2.106.6 or higher)
🔧 Temporary Workarounds
Restrict PATH environment variable
windowsRemove untrusted directories from the system PATH to prevent searching malicious locations
Control Panel > System > Advanced system settings > Environment Variables > Edit PATH
Use absolute paths for CLI execution
windowsAlways specify full paths when running Salesforce CLI commands
C:\Program Files\Salesforce CLI\bin\sfdx.exe [command]
🧯 If You Can't Patch
- Restrict user permissions to prevent file creation in trusted directories
- Implement application whitelisting to block unauthorized executables
🔍 How to Verify
Check if Vulnerable:
Run 'sfdx --version' and check if version is below 2.106.6Check Version:
sfdx --versionVerify Fix Applied:
Confirm version is 2.106.6 or higher with 'sfdx --version'📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from non-standard directories
- Salesforce CLI processes spawning unexpected child processes
Network Indicators:
- Unexpected outbound connections from Salesforce CLI processes
SIEM Query:
Process creation where parent process contains 'sfdx' and command line contains unusual paths