A essential vulnerability within the Salesforce CLI installer (sf-x64.exe) allows attackers to realize arbitrary code execution, privilege escalation, and SYSTEM-level entry on Home windows methods.
Tracked as CVE-2025-9844, the flaw stems from improper dealing with of executable file paths by the installer, permitting malicious information to be executed instead of official binaries when the software program is obtained from untrusted sources.
Path Hijacking Vulnerability (CVE-2025-9844)
The vulnerability exploits how the Salesforce-CLI installer resolves file paths throughout set up. When sf-x64.exe runs, it masses a number of auxiliary executables and DLLs from the present working listing earlier than falling again to the listing containing the installer.
An attacker who locations a crafted executable named identically to a official part (for instance, sf-autoupdate.exe or sf-config.dll) in the identical folder may cause the installer to load and execute the attacker’s code.
As a result of the installer runs with elevated privileges by default, writing registry keys underneath HKLM and creating providers underneath LocalSystem, the injected code inherits SYSTEM-level privileges, enabling full takeover of the host machine.
Upon execution, the installer masses the rogue sf-autoupdate.exe, which escalates privileges by making a reverse shell service underneath the LocalSystem account. The attacker then makes use of the shell to execute instructions and efficiently retrieves SYSTEM-level output.
Threat FactorsDetailsAffected ProductsSalesforce CLI installer (sf-x64.exe) variations ImpactArbitrary code execution; privilege escalation to SYSTEM-level accessExploit PrerequisitesInstaller obtained from untrusted supply; attacker locations malicious executable in installer’s working listing; installer run with elevated privilegesCVSS 3.1 Score7.8 (Excessive)
Affected Variations and Mitigation
All Salesforce-CLI variations previous to 2.106.6 are impacted by this path hijacking vulnerability.
Importantly, solely customers who set up the CLI from untrusted mirrors or third-party repositories are in danger; installations instantly downloaded by way of the official Salesforce website use a signed installer that enforces strict path decision and integrity checks.
To remediate, affected customers ought to instantly uninstall any CLI model obtained from unverified sources and carry out an intensive system scan for unknown executables or suspicious providers.
Salesforce has launched model 2.106.6, which fixes the difficulty by hard-coding absolute file paths and validating digital signatures earlier than loading supplementary executables.
Directors are suggested to implement set up from trusted endpoints solely and to allow Microsoft Defender Software Management (MDAC) insurance policies to limit execution of unauthorized binaries in set up directories.
Steady monitoring of system occasion logs for sudden service creation or installer execution underneath non-standard paths will assist detect tried exploits early.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
