Sep 25, 2025Ravie LakshmananVulnerability / AI Safety
Cybersecurity researchers have disclosed a crucial flaw impacting Salesforce Agentforce, a platform for constructing synthetic intelligence (AI) brokers, that would permit attackers to probably exfiltrate delicate information from its buyer relationship administration (CRM) device via an oblique immediate injection.
The vulnerability has been codenamed ForcedLeak (CVSS rating: 9.4) by Noma Safety, which found and reported the issue on July 28, 2025. It impacts any group utilizing Salesforce Agentforce with the Net-to-Lead performance enabled.
“This vulnerability demonstrates how AI brokers current a essentially completely different and expanded assault floor in comparison with conventional prompt-response techniques,” Sasi Levi, safety analysis lead at Noma, stated in a report shared with The Hacker Information.
One of the crucial extreme threats going through generative synthetic intelligence (GenAI) techniques at this time is oblique immediate injection, which happens when malicious directions are inserted into exterior information sources accessed by the service, successfully inflicting it to generate in any other case prohibited content material or take unintended actions.
The assault path demonstrated by Noma is deceptively easy in that it coaxes the Description discipline in Net-to-Lead kind to run malicious directions via a immediate injection, permitting a menace actor to leak delicate information and exfiltrate it to a Salesforce-related allowlisted area that had expired and turn out to be accessible for buy for as little as $5.
This takes place over 5 steps –
Attacker submits Net-to-Lead kind with a malicious Description
Inside worker processes lead utilizing an ordinary AI question to course of incoming leads
Agentforce executes each professional and hidden directions
System queries CRM for delicate lead data
Transmit the information to the now attacker-controlled area within the type of a PNG picture
“By exploiting weaknesses in context validation, overly permissive AI mannequin conduct, and a Content material Safety Coverage (CSP) bypass, attackers can create malicious Net-to-Lead submissions that execute unauthorized instructions when processed by Agentforce,” Noma stated.
“The LLM, working as an easy execution engine, lacked the power to tell apart between professional information loaded into its context and malicious directions that ought to solely be executed from trusted sources, leading to crucial delicate information leakage.”
Salesforce has since re-secured the expired area, rolled out patches that forestall output in Agentforce and Einstein AI brokers from being despatched to untrusted URLs by implementing a URL allowlist mechanism.
“Our underlying companies powering Agentforce will implement the Trusted URL allowlist to make sure no malicious hyperlinks are referred to as or generated by way of potential immediate injection,” the corporate stated in an alert issued earlier this month. “This supplies an important defense-in-depth management towards delicate information escaping buyer techniques through exterior requests after a profitable immediate injection.”
In addition to making use of Salesforce’s beneficial actions to implement Trusted URLs, customers are beneficial to audit current lead information for suspicious submissions containing uncommon directions, implement strict enter validation to detect attainable immediate injection, and sanitize information from untrusted sources.
“The ForcedLeak vulnerability highlights the significance of proactive AI safety and governance,” Levi stated. “It serves as a powerful reminder that even a low-cost discovery can forestall hundreds of thousands in potential breach damages.”
