A critical zero-day vulnerability was discovered in a default Salesforce controller, exposing millions of user records across many deployments. This serious security flaw, found in a built-in Aura controller, allowed attackers to extract sensitive user information and document details. This was accomplished by using sophisticated Salesforce Object Query Language (SOQL) injection techniques to directly query the underlying database and exfiltrate sensitive user data. The vulnerability was initially discovered by security researcher Tobia Righi while conducting various automated fuzzing tests on many Aura controllers. An unexpected error message from a fuzzer first revealed the unsafe parameter handling, which created a pathway for these injection attacks.
The underlying technical vulnerability stemmed from a specific parameter being directly embedded into SOQL queries without any proper data input sanitization. Despite the inherent restrictions of SOQL compared to traditional SQL injection, the researcher successfully developed a powerful exploitation technique for it. The developed attack leveraged distinct server response discrepancies between valid and also invalid queries to extract the sensitive database information. By carefully crafting specific query payloads, attackers could then enumerate column contents from any object related to the platform’s ContentDocument object. This specific technique allowed for the systematic extraction of various document names, detailed descriptions, and also critical user details from the database.
After first reporting the critical vulnerability to a single affected organization, the researcher then learned some important additional information.
He discovered that the vulnerable controller was actually part of Salesforce’s default installation, not just some organization’s unique custom code. When this was subsequently reported directly to Salesforce in late February 2025, the company quietly patched the widespread serious vulnerability. Salesforce notably did not issue a public advisory, a CVE designation, or any acknowledgment of the serious flaw in their official product release notes.
The vulnerability’s potential impact extends far beyond just individual organizations, as the affected controller was present in all Salesforce deployments by default.
The silent patching approach that was taken by Salesforce, while resolving the immediate existing security risk, has left the security community. The community now has no official guidance on specific detection methods for past exploitation of this particular system vulnerability on their platforms. There are also no potential indicators of compromise from the vulnerability’s significant exploitation window that has now since been officially closed. This complete lack of any transparency from the company makes it very difficult for numerous organizations to accurately determine if they were previously compromised. It leaves many internal security teams in a difficult position regarding their historical security posture and any potential past data breaches.
Reference:
