New research spots security gaps in Salesforce Industry Cloud

SaaS security firm AppOmni reported that it has uncovered more than 20 security risks in Salesforce Industry Cloud—an increasingly popular platform among financial institutions (FIs) for building low-code, financial-specific apps. The vulnerabilities, including five classified as zero-day flaws, could leave banks and other financial organizations dangerously exposed to cyberattacks, data theft, and regulatory violations if not urgently addressed, according to AppOmni.

The security stated that its findings show that misconfigurations and overlooked default settings in Salesforce Industry Cloud could allow cybercriminals to steal sensitive client and employee data, including names, emails, financial records and login credentials. Joel Wallenstrom, general manager at AppOmni, said, "SaaS apps dominate the world, yet SaaS security remains years behind. Everyone freaks out over an open S3 bucket, yet misconfigured SaaS apps are everywhere and barely get noticed. That has to change."

Security must be a priority

The Salesforce Industry Cloud suite is used by financial services firms for everything from client onboarding and regulatory compliance to customer support and targeted marketing. AppOmni found that four of the five newly discovered vulnerabilities are considered high severity, and two require manual fixes by customers—posing a significant burden for institutions not actively monitoring their SaaS environments.

Aaron Costello, AppOmni's chief of SaaS security research, said, "Low-code platforms like Salesforce Industry Cloud make building applications easier, but that convenience can come at a cost if security isn't prioritized. My research highlights how simple misconfigurations can create serious risks, not just within Industry Cloud but across an organization's entire Salesforce environment."

AppOmni further stated that the five vulnerabilities—now assigned Common Vulnerabilities and Exposures (CVE) numbers by Salesforce—primarily affect core components like FlexCards and Data Mappers. These flaws allow unauthorized access to encrypted data, bypass permissions, and leak information across users, AppOmni noted, adding that other affected features include Integration Procedures, OmniOut (which facilitates off-platform use) and Saved Sessions—all of which can inadvertently expose session data, API keys, or login credentials.

Salesforce issues advisories, guidance

Salesforce issued advisories for three of the vulnerabilities and configuration guidance for the remaining two, but experts stressed that responsibility lies with the customer to ensure secure implementation. "This isn't just misconfiguration; it's a maturity gap," Costello emphasized. "In industries where data sensitivity is high, usability needs to be rebalanced with security rigor."

AppOmni warned that approximately 25 percent of organizations it observed using Salesforce Industry Cloud are at risk of exposing data to the public. For FIs subject to stringent compliance standards such as FINRA, SEC, GDPR or PCI-DSS, failure to secure these environments could lead to severe consequences, AppOmni added.

To help mitigate risk, AppOmni released more than 20 detection insights aligned with the research, enabling security teams to identify and remediate vulnerabilities in Salesforce Industry Cloud environments. "Our goal is to equip security and platform teams with immediate visibility and a clear path to remediation," Costello said.

The full white paper, Low-Code, High Stakes, is available at bit.ly/4e6nJJI. It includes more than 20 detection insights aligned with the research to help security teams identify and remediate vulnerabilities.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.