EUVD-2025-17656
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (DataMapper) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025
Analysis
Improper Preservation of Permissions vulnerability in Salesforce OmniStudio's DataMapper component that allows unauthenticated network-based attackers to expose encrypted data without requiring user interaction. The vulnerability affects OmniStudio versions prior to Spring 2025 and carries a CVSS 7.5 (High) severity rating. While specific KEV status and EPSS data were not provided in the intelligence sources, the high CVSS score combined with unauthenticated access (AV:N, PR:N) indicates this is a significant exposure risk for organizations using affected OmniStudio deployments.
Technical Context
The vulnerability resides in OmniStudio's DataMapper component, which is responsible for data transformation and mapping operations within the Salesforce ecosystem. The root cause is classified as CWE-281 (Improper Preservation of Permissions / Incorrect Default Permissions), indicating that the DataMapper fails to properly enforce or preserve access control permissions when processing encrypted data. This permission preservation failure allows sensitive encrypted data to be accessed by unauthorized principals who should not have visibility. The DataMapper component typically handles sensitive customer data transformations, and the improper permission handling suggests a flaw in how access controls are applied during data processing workflows, potentially allowing permissions to be dropped or bypassed during encryption/decryption operations or data access checks.
Affected Products
Salesforce OmniStudio (DataMapper component) versions prior to Spring 2025. Specific affected versions include all releases before the Spring 2025 update. Exact CPE string would be: cpe:2.3:a:salesforce:omnistudio:*:*:*:*:*:*:*:* where version < Spring 2025. Organizations running OmniStudio releases from Summer 2024, Winter 2025, and earlier are confirmed in-scope. The Spring 2025 release (expected March 2025) contains the remediation. Customers on extended support cycles for legacy OmniStudio versions (2021-2023 releases) should verify their specific version against Salesforce's security advisories, as older versions may receive extended vulnerability windows.
Remediation
Primary remediation: Upgrade Salesforce OmniStudio to Spring 2025 release or later, which addresses the permission preservation flaw in DataMapper. For organizations unable to immediately upgrade: (1) Implement network-level access controls to restrict OmniStudio DataMapper endpoints to authorized internal networks only, reducing the AV:N attack surface to AV:A; (2) Enable Salesforce Shield Platform Encryption for data at rest to add defense-in-depth against unauthorized access; (3) Audit DataMapper permission configurations and remove unnecessary broad permissions from user roles and profiles; (4) Monitor OmniStudio DataMapper activity logs for unusual access patterns using Salesforce's audit trail functionality; (5) Implement session management and IP-based restrictions on OmniStudio access; (6) Contact Salesforce Support for interim security guidance specific to your deployment. Formal patch availability is expected via Salesforce Spring 2025 release on March 15, 2025. Customers with support contracts should reference Salesforce Security Bulletin and apply the update during next scheduled maintenance window.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today