Introduction
Attackers can exploit misconfigured search paths in widely used enterprise tools to execute malicious code with elevated privileges. Salesforce CLI, a command-line tool essential for Salesforce developers and administrators, recently disclosed a critical vulnerability that allows local attackers on Windows systems to replace trusted executables and potentially compromise sensitive environments.
Salesforce is a global leader in cloud-based CRM and business automation, serving over 150,000 organizations. Its CLI is a core tool for managing, deploying, and automating Salesforce environments, making any vulnerability in this tool highly impactful for enterprises worldwide.
Technical Information
CVE-2025-9844 is a high-severity vulnerability (CVSS 8.8) categorized as CWE-427: Uncontrolled Search Path Element. The issue affects Salesforce CLI for Windows in all versions before 2.106.6. The vulnerability arises from improper validation and control over the search path used to locate and load external executables or resources.
When Salesforce CLI invokes external programs or loads dynamic libraries without specifying an absolute path, Windows follows a specific search order: the application directory, system directories, the current working directory, and directories listed in the PATH environment variable. If an attacker can write a malicious executable with the same name as a legitimate one into a directory that is searched before the legitimate file, the CLI may execute the attacker's code instead of the intended program. This is commonly referred to as DLL hijacking or binary planting.
The root cause is the CLI's failure to specify full paths when invoking external executables, relying instead on the Windows search order. This allows attackers with local access (but not necessarily administrative privileges) to exploit the search path and achieve code execution under the context of the user running the CLI.
No public code snippets or specific vulnerable functions have been disclosed for this issue.
Affected Systems and Versions
- Salesforce CLI for Windows
- All versions before 2.106.6 are affected
- Only Windows installations are vulnerable
- No evidence of exploitation on other operating systems
Vendor Security History
Salesforce has experienced several notable vulnerabilities in 2025, including multiple CVEs in Salesforce Industry Cloud products. The company generally collaborates with security researchers and provides timely advisories and patches. However, the recurrence of critical vulnerabilities, including configuration and path handling issues, highlights ongoing challenges in secure development and testing practices.