Cybersecurity researchers have disclosed a important flaw impacting Salesforce Agentforce, a platform for constructing synthetic intelligence (AI) brokers, that might enable attackers to probably exfiltrate delicate knowledge from its buyer relationship administration (CRM) device by the use of an oblique immediate injection.
The vulnerability has been codenamed ForcedLeak (CVSS rating: 9.4) by Noma Safety, which found and reported the issue on July 28, 2025. It impacts any group utilizing Salesforce Agentforce with the Net-to-Lead performance enabled.
“This vulnerability demonstrates how AI brokers current a basically totally different and expanded assault floor in comparison with conventional prompt-response programs,” Sasi Levi, security analysis lead at Noma, mentioned in a report shared with The Hacker Information.
One of the crucial extreme threats going through generative synthetic intelligence (GenAI) programs immediately is oblique immediate injection, which happens when malicious directions are inserted into exterior knowledge sources accessed by the service, successfully inflicting it to generate in any other case prohibited content material or take unintended actions.
The assault path demonstrated by Noma is deceptively easy in that it coaxes the Description discipline in Net-to-Lead type to run malicious directions by the use of a immediate injection, permitting a menace actor to leak delicate knowledge and exfiltrate it to a Salesforce-related allowlisted area that had expired and change into accessible for buy for as little as $5.
This takes place over 5 steps –
- Attacker submits Net-to-Lead type with a malicious Description
- Inside worker processes lead utilizing a normal AI question to course of incoming leads
- Agentforce executes each legit and hidden directions
- System queries CRM for delicate lead info
- Transmit the info to the now attacker-controlled area within the type of a PNG picture
“By exploiting weaknesses in context validation, overly permissive AI mannequin conduct, and a Content material Safety Coverage (CSP) bypass, attackers can create malicious Net-to-Lead submissions that execute unauthorized instructions when processed by Agentforce,” Noma mentioned.
“The LLM, working as an easy execution engine, lacked the flexibility to tell apart between legit knowledge loaded into its context and malicious directions that ought to solely be executed from trusted sources, leading to important delicate knowledge leakage.”
Salesforce has since re-secured the expired area, rolled out patches that forestall output in Agentforce and Einstein AI brokers from being despatched to untrusted URLs by implementing a URL allowlist mechanism.
“Our underlying providers powering Agentforce will implement the Trusted URL allowlist to make sure no malicious hyperlinks are referred to as or generated by way of potential immediate injection,” the corporate mentioned in an alert issued earlier this month. “This supplies an important defense-in-depth management towards delicate knowledge escaping buyer programs by way of exterior requests after a profitable immediate injection.”
Apart from making use of Salesforce’s beneficial actions to implement Trusted URLs, customers are beneficial to audit current lead knowledge for suspicious submissions containing uncommon directions, implement strict enter validation to detect doable immediate injection, and sanitize knowledge from untrusted sources.
“The ForcedLeak vulnerability highlights the significance of proactive AI security and governance,” Levi mentioned. “It serves as a robust reminder that even a low-cost discovery can forestall tens of millions in potential breach damages.”
