A essential zero-day vulnerability found in Salesforce‘s default controller has uncovered hundreds of thousands of person information throughout hundreds of deployments worldwide.
The safety flaw, discovered within the built-in aura://CsvDataImportResourceFamilyController/ACTION$getCsvAutoMap controller, allowed attackers to extract delicate person info and doc particulars by SOQL injection methods.
SOQL Injection 0-Day Vulnerability
The vulnerability was found whereas conducting automated fuzzing assessments on Aura controllers current in Salesforce deployments.
A customized parser and fuzzer was developed to check tons of of endpoints by mutating enter parameters throughout the appliance’s app.js file, which conveniently defines controller descriptors and required arguments.
In line with safety researcher Tobia Righi, the breakthrough got here when the fuzzer returned an sudden error message revealing unsafe parameter dealing with: “MALFORMED_QUERY: nContentVersion WHERE ContentDocumentId = ”’n ERROR at Row:1:Column:239nunexpected token: ”’”.
This error indicated that the contentDocumentId parameter was being instantly embedded into SOQL queries with out correct sanitization, making a pathway for injection assaults.
Regardless of SOQL’s inherent restrictions in comparison with conventional SQL injection vulnerabilities, the researcher efficiently developed an exploitation approach utilizing error-based blind injection strategies.
The assault leveraged response discrepancies between legitimate and invalid queries to extract delicate database info.
By crafting payloads corresponding to 069TP00000HbJbNYAV’ AND OwnerId IN (SELECT Id FROM Consumer WHERE E mail LIKE ‘apercent25’) AND ContentDocumentId != ‘, attackers might enumerate column contents from any object associated to ContentDocument.
The approach exploited completely different server responses: profitable subqueries returned “Can not invoke “frequent.udd.EntityInfo.getEntityId()” as a result of “ei” is null”, whereas unsuccessful ones returned “Error in retrieving content material doc”.
The researcher enhanced the assault by incorporating Salesforce ID era methods, utilizing current scripts to generate hundreds of legitimate contentDocumentId values beginning with the prefix “069”.
This allowed systematic extraction of doc names, descriptions, and person particulars from each private and non-private ContentDocument objects throughout the platform.
Patch Launched
After reporting the vulnerability to an affected group, the researcher realized that the weak controller was really a part of Salesforce’s default set up, not customized code.
When subsequently reported to Salesforce in late February 2025, the corporate quietly patched the vulnerability with out issuing a public advisory, CVE designation, or acknowledgment in launch notes.
The vulnerability’s influence extends far past particular person organizations, because the affected controller was current in all Salesforce deployments by default.
The silent patching method, whereas resolving the quick safety threat, has left the safety group with out official steerage on detection strategies or potential indicators of compromise from the vulnerability’s exploitation window.
Attempt Subsequent-gen Antivirus that Elevates Endpoint Safety for Free
