ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection
Summary
Hide ▲
Show ▼
A critical vulnerability, dubbed ForcedLeak (CVSS score: 9.4), affects Salesforce Agentforce, allowing attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw was disclosed by Noma Security and patched by Salesforce. The vulnerability leveraged an expired Salesforce-related domain to transmit stolen data. The attack involved submitting a malicious Web-to-Lead form, processing it with AI, querying CRM for sensitive data, and transmitting it to the attacker-controlled domain. Salesforce has since mitigated the issue by re-securing the domain and enforcing a URL allowlist mechanism. Users are advised to audit existing lead data, enforce Trusted URLs, and implement strict input validation.
Timeline
-
25.09.2025 18:17 1 articles · 0h ago
ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection
A critical vulnerability, ForcedLeak (CVSS score: 9.4), was discovered in Salesforce Agentforce, allowing attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw was disclosed by Noma Security on July 28, 2025, and patched by Salesforce. The attack involved submitting a malicious Web-to-Lead form, processing it with AI, querying CRM for sensitive data, and transmitting it to an attacker-controlled domain. Salesforce has mitigated the issue by re-securing the domain and enforcing a URL allowlist mechanism. Users are advised to audit existing lead data, enforce Trusted URLs, and implement strict input validation.
Show sources
- Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection — thehackernews.com — 25.09.2025 18:17
Information Snippets
-
ForcedLeak (CVSS score: 9.4) affects Salesforce Agentforce with Web-to-Lead enabled.
First reported: 25.09.2025 18:171 source, 1 articleShow sources
- Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection — thehackernews.com — 25.09.2025 18:17
-
The vulnerability allows exfiltration of sensitive CRM data via indirect prompt injection.
First reported: 25.09.2025 18:171 source, 1 articleShow sources
- Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection — thehackernews.com — 25.09.2025 18:17
-
The attack involved submitting a malicious Web-to-Lead form and processing it with AI.
First reported: 25.09.2025 18:171 source, 1 articleShow sources
- Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection — thehackernews.com — 25.09.2025 18:17
-
The stolen data was transmitted to an attacker-controlled domain via a PNG image.
First reported: 25.09.2025 18:171 source, 1 articleShow sources
- Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection — thehackernews.com — 25.09.2025 18:17
-
Salesforce has patched the vulnerability by re-securing the domain and enforcing a URL allowlist.
First reported: 25.09.2025 18:171 source, 1 articleShow sources
- Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection — thehackernews.com — 25.09.2025 18:17
-
Users are advised to audit lead data, enforce Trusted URLs, and implement strict input validation.
First reported: 25.09.2025 18:171 source, 1 articleShow sources
- Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection — thehackernews.com — 25.09.2025 18:17