What is the CVSS score of CVE-2025-43697?

CVE-2025-43697 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Salesforce are affected by CVE-2025-43697?

A high-severity vulnerability in Salesforce OmniStudio DataMapper could expose encrypted sensitive data due to improper permission controls.

How to fix or mitigate CVE-2025-43697?

Within 24 hours: Inventory all OmniStudio DataMapper implementations and identify systems processing sensitive or regulated data. Within 7 days: Implement network segmentation to restrict OmniStudio access, disable DataMapper if not business-critical, and enable enhanced logging on affected systems. Within 30 days: Establish a regular patch management schedule, coordinate with Salesforce for patch availability confirmation, and conduct a data exposure audit for any accessed encrypted data.

Salesforce CVE-2025-43697

EUVD-2025-17656 HIGH

Improper Preservation of Permissions (CWE-281)

2025-06-10 security@salesforce.com

Information Disclosure Salesforce Privilege Escalation

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17656

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

CVE Published

Jun 10, 2025 - 12:15 nvd

HIGH 7.5

DescriptionCVE.org

Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (DataMapper) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025

AnalysisAI

Improper Preservation of Permissions vulnerability in Salesforce OmniStudio's DataMapper component that allows unauthenticated network-based attackers to expose encrypted data without requiring user interaction. The vulnerability affects OmniStudio versions prior to Spring 2025 and carries a CVSS 7.5 (High) severity rating. While specific KEV status and EPSS data were not provided in the intelligence sources, the high CVSS score combined with unauthenticated access (AV:N, PR:N) indicates this is a significant exposure risk for organizations using affected OmniStudio deployments.

Technical ContextAI

The vulnerability resides in OmniStudio's DataMapper component, which is responsible for data transformation and mapping operations within the Salesforce ecosystem. The root cause is classified as CWE-281 (Improper Preservation of Permissions / Incorrect Default Permissions), indicating that the DataMapper fails to properly enforce or preserve access control permissions when processing encrypted data. This permission preservation failure allows sensitive encrypted data to be accessed by unauthorized principals who should not have visibility. The DataMapper component typically handles sensitive customer data transformations, and the improper permission handling suggests a flaw in how access controls are applied during data processing workflows, potentially allowing permissions to be dropped or bypassed during encryption/decryption operations or data access checks.

RemediationAI

Primary remediation: Upgrade Salesforce OmniStudio to Spring 2025 release or later, which addresses the permission preservation flaw in DataMapper. For organizations unable to immediately upgrade: (1) Implement network-level access controls to restrict OmniStudio DataMapper endpoints to authorized internal networks only, reducing the AV:N attack surface to AV:A; (2) Enable Salesforce Shield Platform Encryption for data at rest to add defense-in-depth against unauthorized access; (3) Audit DataMapper permission configurations and remove unnecessary broad permissions from user roles and profiles; (4) Monitor OmniStudio DataMapper activity logs for unusual access patterns using Salesforce's audit trail functionality; (5) Implement session management and IP-based restrictions on OmniStudio access; (6) Contact Salesforce Support for interim security guidance specific to your deployment. Formal patch availability is expected via Salesforce Spring 2025 release on March 15, 2025. Customers with support contracts should reference Salesforce Security Bulletin and apply the update during next scheduled maintenance window.

CVE-2025-43697 vulnerability details – vuln.today

Back

Salesforce CVE-2025-43697

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code