EUVD-2025-17657
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025.
Analysis
CVE-2025-43700 is an Improper Preservation of Permissions vulnerability in Salesforce OmniStudio FlexCards that allows unauthenticated network-based attackers to expose encrypted data without requiring user interaction. This high-impact confidentiality breach (CVSS 7.5) affects OmniStudio versions prior to Spring 2025 release and represents a significant risk to organizations using FlexCards for sensitive data handling, particularly given the low attack complexity and absence of privilege requirements.
Technical Context
The vulnerability stems from CWE-281 (Improper Preservation of Permissions), a weakness class where access controls fail to be properly maintained during data transformation or transit. In the context of OmniStudio FlexCards, this manifests as encrypted data exposure—likely occurring during the rendering or processing of FlexCard components when permission checks are bypassed or inadvertently stripped. FlexCards are Salesforce OmniStudio components used for dynamic UI rendering and data presentation. The root cause appears to involve the FlexCards engine failing to enforce or preserve security contexts when handling encrypted sensitive information, potentially during API calls, component initialization, or data serialization phases. The AV:N (Network) vector indicates the flaw is exploitable remotely without physical access, and AC:L (Low Complexity) suggests no special conditions are required beyond crafting a standard HTTP request to trigger the exposure.
Affected Products
Salesforce OmniStudio (component: FlexCards) versions prior to Spring 2025 release. Specific CPE mapping would be: cpe:2.7:a:salesforce:omnistudio:*:*:*:*:*:*:*:* (versions < 2025-Q1). OmniStudio is typically deployed as part of Salesforce Service Cloud, Financial Services Cloud, and custom Salesforce implementations. All orgs running OmniStudio FlexCards components in versions preceding the Spring 2025 patch cycle are affected. No version-specific exclusions are documented, suggesting a blanket vulnerability affecting all pre-patch releases.
Remediation
Immediate actions: (1) Upgrade OmniStudio to Spring 2025 release or later immediately—this is the primary remedial patch; (2) If immediate upgrade is not feasible, review Salesforce Security Advisory for CVE-2025-43700 for interim guidance and workarounds; (3) Audit FlexCard component usage in your Salesforce org and identify which FlexCards process or display encrypted sensitive data; (4) Implement temporary mitigations such as restricting FlexCard API access via Salesforce IP whitelisting, disabling unnecessary FlexCard components until patching, or applying Lightning record page security policies to limit exposure; (5) Monitor Salesforce trust status and apply the Spring 2025 patch during your next scheduled maintenance window if immediate patching is not possible; (6) Review access logs for any unauthorized access to encrypted data via FlexCard APIs in the period prior to patching. Contact Salesforce Support for advisory links and patch validation procedures specific to your deployment.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today