EUVD-2025-17661
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of Custom Settings data. This impacts OmniStudio: before version 254.
Analysis
CVE-2025-43701 is an Improper Preservation of Permissions vulnerability in Salesforce OmniStudio FlexCards that allows unauthenticated network attackers to read Custom Settings data without authorization. Affecting OmniStudio versions before 254, this high-severity flaw (CVSS 7.5) enables direct exposure of sensitive configuration data through a low-complexity attack requiring no user interaction or privileges. While KEV status and active exploitation details are not available in provided data, the combination of high CVSS score, unauthenticated attack vector, and direct confidentiality impact indicates significant real-world risk to Salesforce deployments storing sensitive configuration in Custom Settings.
Technical Context
OmniStudio is a Salesforce cloud platform component providing low-code design and configuration tools. FlexCards is a declarative UI component within OmniStudio that enables rapid development of responsive card-based interfaces. The vulnerability stems from CWE-281 (Improper Preservation of Permissions), a weakness where access controls fail to properly restrict operations on sensitive resources. In this case, the FlexCards component fails to enforce proper permission checks when accessing Custom Settings—a Salesforce configuration storage mechanism intended for organization-wide or profile-specific settings. The vulnerability likely exists in the FlexCards rendering or data retrieval logic, where permission validation is either absent or improperly implemented, allowing the component to expose Custom Settings data regardless of user access privileges. CPE designation would be `cpe:2.7:a:salesforce:omnistudio:*:*:*:*:*:*:*:*` with versions prior to 254 affected.
Affected Products
OmniStudio (All versions before 254); OmniStudio (254 and later)
Remediation
Primary Patch: Upgrade OmniStudio to version 254 or later; priority: Critical; notes: Salesforce typically delivers updates through automatic sandbox refreshes and controlled production deployments. Check Salesforce release notes for version 254 availability in your org's release cycle. Workaround (Temporary): Restrict FlexCards component access via Salesforce permission sets and sharing rules until patch is available; priority: High; notes: Disable or limit access to FlexCards in production environments if they are used to display or interact with Custom Settings data. Review which users/profiles have access to affected FlexCards components. Detection & Monitoring: Audit Custom Settings access logs in Salesforce to identify unauthorized access patterns; priority: High; notes: Enable debug logging for Custom Settings queries. Monitor Setup Audit Trail for permission modifications related to OmniStudio. Review FlexCards component usage analytics. Configuration Hardening: Review Custom Settings contents and recategorize sensitive data outside Custom Settings if possible; priority: Medium; notes: Custom Settings should not store secrets, encryption keys, or highly sensitive PII. Migrate sensitive configs to encrypted custom fields or external secret management.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today