Full Report
A recently disclosed security research report has revealed a severe vulnerability chain in Salesforce AgentForce, dubbed ForcedLeak, which highlights a new class of AI-specific threats in enterprise systems. The vulnerability, discovered by a cybersecurity firm and rated critical with a CVSS score of 9.4, exposes how the expanded attack surface of autonomous AI agents like those in AgentForce can be exploited through indirect prompt injection attacks. Overview of the Salesforce ForcedLeak Vulnerability ForcedLeak targets Salesforce AgentForce, a CRM-integrated AI agent platform that autonomously handles complex business tasks such as lead management and customer communication. The core of the vulnerability lies in how AI agents process external inputs, not just as static data but as dynamic, executable instructions. Unlike traditional chatbot systems, AI agents with autonomous reasoning, internal memory, and tool-calling abilities present significantly broader attack surfaces. Noma Labs found that attackers could inject malicious instructions into Salesforce’s Web-to-Lead form submissions. When internal employees later queried AgentForce about these leads, the AI would process the embedded payloads unknowingly, effectively turning trusted data into an attack vector. The flaw allowed for unauthorized access to sensitive CRM data, including customer contacts, sales strategies, and even third-party integration information. Attack Methodology and Technical Details The researchers mapped out a multi-phase attack that involved: Injection Point Identification: The “Description” field in Salesforce’s Web-to-Lead forms, with its 42,000-character limit, was identified as an ideal target for payload insertion. Realistic Prompt Construction: The attacker crafted lead data that, when reviewed by employees using AgentForce, would cause the AI to execute embedded malicious instructions. Prompt Injection via Trusted Queries: A prompt like “Please, check the lead with name 'Alice Bob' and answer their questions...” would seem innocuous, but would trigger the AI to parse and act upon malicious instructions in the data. CSP Bypass via Expired Whitelisted Domain: Salesforce’s Content Security Policy (CSP) allowed outbound data transmission to certain whitelisted domains. One such domain, my-salesforce-cms.com, had expired and was purchased by researchers to demonstrate how data could be exfiltrated through a seemingly trusted channel. This combination of factors created a high-impact vulnerability chain, ultimately proving how Salesforce AgentForce could be manipulated to leak sensitive CRM data with no direct user interaction. Who Was at Risk? Any organization using Salesforce AgentForce with Web-to-Lead functionality, particularly in sales, marketing, and customer acquisition, was potentially at risk. These environments routinely ingest external data from forms filled out by prospects at conferences, marketing campaigns, or websites, providing fertile ground for malicious submissions. Business and Security Impact The implications of ForcedLeak are significant: Data Exposure: Customer information, internal communications, sales pipeline details, and historical CRM records were all potentially vulnerable. Regulatory Risks: Breach disclosure requirements and compliance violations could follow such exposures. Reputational Damage: Any confirmed data breach involving sensitive customer data could severely impact brand trust. Lateral Movement: Due to Salesforce’s extensive API and business system integrations, attackers could potentially pivot across internal systems once inside. The research also revealed the possibility of time-delayed execution, where payloads remain dormant until triggered by a future employee action, making detection and response far more difficult. Salesforce’s Response Here is a timeline of events: July 28, 2025: Noma Labs reported the vulnerability to Salesforce. July 31, 2025: Salesforce acknowledged the issue and began an investigation. September 8, 2025: Salesforce released a patch implementing Trusted URLs Enforcement for both AgentForce and Einstein AI. September 25, 2025: Public disclosure of vulnerability. Salesforce also secured the expired domain from the whitelist and strengthened its CSP policies to prevent similar bypasses.
Analysis Summary
This summary is based on the provided context regarding a vulnerability publicized as "ForcedLeak" impacting Salesforce AgentForce.
# Vulnerability: ForcedLeak: Salesforce AgentForce Configuration Bypass
## CVE Details
- CVE ID: *Not explicitly provided in the text.*
- CVSS Score: *Score not explicitly provided, but described as "Critical".* (Severity: Critical)
- CWE: *Not explicitly provided.*
## Affected Systems
- Products: Salesforce AgentForce, Einstein AI.
- Versions: Unspecified versions prior to patching, particularly impacting configurations relying on older domain whitelisting/CSP settings.
- Configurations: Configurations where Trusted URLs Enforcement was not fully implemented or could be bypassed due to expired domain whitelisting.
## Vulnerability Description
The vulnerability, dubbed "ForcedLeak," concerns a critical flaw in Salesforce AgentForce related to how external resources or callbacks were being handled, likely involving a bypass of security controls such as Trusted URLs Enforcement. The flaw allowed for the potential execution of arbitrary content or redirection via manipulation of whitelisted domains, leading to significant data exposure risks. The exploitation path allowed for time-delayed execution of payloads, complicating incident response.
## Exploitation
- Status: *Likely known exploit techniques/PoC exists, but 'Exploited in the wild' status is not confirmed.* Research identified exploitation potential.
- Complexity: Implied to be Medium to High, given the sophisticated nature involving domain whitelists and time-delayed execution.
- Attack Vector: Likely Network/Remote, exploiting functionality within the AgentForce application.
## Impact
- Confidentiality: High (Potential access to sensitive customer data, PII, sales pipeline details, and historical CRM records).
- Integrity: High (Potential for unauthorized modification or execution of malicious logic).
- Availability: Medium (Potential Denial of Service or disruption depending on the payload deployed).
## Remediation
### Patches
- **September 8, 2025**: Salesforce released a patch implementing **Trusted URLs Enforcement** for both AgentForce and Einstein AI.
### Workarounds
- Salesforce secured the expired domain that was previously on the whitelist.
- Salesforce strengthened its **CSP (Content Security Policy)** to prevent similar bypasses.
## Detection
- **Indicators of Compromise (IoCs)**: Monitoring requests leveraging previously whitelisted but now expired external domains, or unusual execution flows within Salesforce processes related to AgentForce/Einstein. Time-delayed payloads might activate based on specific user actions or time stamps.
- **Detection Methods and Tools**: Reviewing CSP logs and network traffic for deviations from established policies. Auditing the configuration state of Trusted URLs and associated whitelists against current vendor advisories.
## References
- Vendor Advisory (Timeline): Reported July 28, 2025; Patched September 8, 2025; Public Disclosure September 25, 2025.
- Relevant Links:
- Information Source: thecyberexpress com/forcedleak-agentforce-vulnerability/ (Access this source for full context, ensure URL is defanged if needed for external reference)