Salesforce CLI Installer Flaw Lets Attackers Run Code and Gain SYSTEM-Level Access
A serious security flaw in the Salesforce CLI installer (sf-x64.exe) has been assigned CVE-2025-9844.
This weakness allows attackers to execute arbitrary code with SYSTEM-level privileges on Windows machines. Users who installed Salesforce CLI from untrusted sources may be at risk.
The vulnerability stems from improper handling of file paths during installation, which can be abused through simple social engineering tactics.
Details of the Vulnerability
The issue lies in how the installer locates and runs executable files. When the Salesforce CLI installer is launched, it searches the local directory for certain files needed to complete installation.
If a malicious actor tricks a user into downloading a compromised installer or places a rogue executable in the same folder, the installer may run the attacker’s file instead of Salesforce’s legitimate code.
| CVE ID | Affected Versions | Impact |
| CVE-2025-9844 | Salesforce-CLI versions prior to 2.106.6 | Arbitrary code execution, privilege escalation, SYSTEM-level access |
Because the installer runs with elevated permissions, the attacker’s code executes with SYSTEM-level access.
This allows complete control over the operating system, including the ability to disable security controls, create new user accounts, or spread malware.
The vulnerability affects Salesforce CLI versions prior to 2.106.6. Users who obtained installers directly from Salesforce’s official site remain safe, as those files are properly signed and validated against tampering.
Organizations that use Salesforce CLI for development and automation often grant high privileges to the tool so they can perform tasks like data migrations, scripting, and continuous integration builds.
In a targeted attack, threat actors may send phishing emails or social media messages offering a “customized” or “enhanced” installer hosted on a shadow site.
Unsuspecting developers download the file and run it, unknowingly providing attackers with system-level control.
Once established, attackers can install backdoors, exfiltrate sensitive configuration data, or move laterally within corporate networks.
For single developers working on personal machines, this flaw can expose local credentials, API keys stored in environment variables, and other sensitive information.
Although the flaw requires some level of social engineering, it poses a serious threat in environments where code signing and download hygiene are not strictly enforced.
Salesforce addressed this flaw in version 2.106.6 of the CLI installer. Users should verify that they are running this version or later by executing the command sf –version in the command prompt.
If the version is older, download the installer only from the official Salesforce website.
By following these steps, organizations can prevent attackers from exploiting CVE-2025-9844 and maintain the integrity of their Salesforce development pipelines.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Post Comment