Ddos 
Salesforce has published a security advisory detailing a high-severity flaw in its Salesforce-CLI installer (sf-x64.exe). The vulnerability, tracked as CVE-2025-9844 with a CVSS score of 8.8, could allow attackers to achieve arbitrary code execution, privilege escalation, and SYSTEM-level access on affected systems.
The flaw stems from the improper handling of the executable file path during installation. If a malicious file is placed in the local directory, the installer may execute it instead of the intended Salesforce CLI binary.
According to the advisory, “The Salesforce-CLI installer (sf-x64.exe) is vulnerable to arbitrary code execution, privilege escalation, and SYSTEM-level access. This vulnerability arises from improper handling of the executable file path, especially when combined with social engineering tactics.”
This makes the issue particularly dangerous in scenarios where users unknowingly download the installer from untrusted sources.
The vulnerability impacts all Salesforce-CLI versions prior to 2.106.6. Salesforce clarifies that the problem “affects only those customers who downloaded the software from an untrusted source, rather than directly from the official Salesforce site.”
Users who obtained the installer from official Salesforce distribution channels are not affected.
An attacker could exploit CVE-2025-9844 by tricking users into running the vulnerable installer from a directory that also contains a malicious executable. Through this technique, the installer may execute the attacker’s file instead of legitimate program components, effectively granting the attacker SYSTEM-level privileges on the machine.
When paired with social engineering tactics, such as phishing emails or fake download links, this vulnerability poses a serious threat to enterprise environments that rely heavily on Salesforce CLI for development and automation.
Salesforce has released version 2.106.6 of the CLI to address the flaw. Customers are strongly advised to upgrade immediately and ensure they only obtain installers from the official Salesforce website.
The advisory stresses, “If you downloaded salesforce-cli from an untrusted source, scan your local system for malware or suspicious activity.”
Organizations should also review endpoint security logs and enforce policies preventing the installation of software from unverified sources.
Related Posts:
- Windows Kernel Flaws Revealed: SYSTEM-Level Privilege Escalation & PoC Exploits Available Now!
- Google Cloud Unveils Gemini CLI: Free AI Assistant Brings Gemini 2.5 Pro to Your Terminal
- Data Theft Alert: Salesforce Instances Breached via Third-Party App OAuth Tokens
- Data Theft Alert: Salesforce Instances Breached via Third-Party App OAuth Tokens
Donate