Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Uncontrolled Search Path Element Vulnerability in Salesforce CLI on Windows, Patch Immediately!
Image
Veröffentlicht : 26/09/2025
* Last update: 26/09/2025
* Affected software:: Salesforce CLI releases prior to 2.106.6
* Type: CWE-427 Uncontrolled Search Path Element
* CVE/CVSS
→ CVE-2025-9844: VSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Sources
Salesforce: https://help.salesforce.com/s/articleView?id=005224301&type=1
Risks
This vulnerability in the Salesforce‑CLI installer (sf‑x64.exe; CVE‑2025‑9844) permits arbitrary code execution, privilege escalation and SYSTEM‑level access when an installer is obtained from an untrusted source, an attacker can cause the installer to load a malicious binary from the local working directory (CWE‑427).
The impact to confidentiality, integrity and availability is high: compromised developer workstations or CI/CD agents may suffer full host compromise, exfiltration of credentials, tampering of build artefacts and lateral movement across trusted infrastructure.
There is currently no evidence that this vulnerability has been exploited in the wild.
Description
In affected versions, the Salesforce CLI installer (sf‑x64.exe) contains a path‑handling vulnerability that permits local arbitrary code execution and privilege escalation. This weakness allows attackers to carry out the following:
• Delivery - Attacker lures the user or automation to run a trojanised sf‑x64.exe installer obtained from an untrusted source.
• Path hijack - The installer loads executables from the local working directory; a malicious binary placed there is loaded instead of the legitimate component (uncontrolled search path).
• Execute & escalate - The malicious binary runs with the installer’s privileges and achieves SYSTEM‑level execution, enabling persistence (services, scheduled tasks) and implant installation.
• Post‑compromise impact - The compromised host (developer workstation or CI/CD agent) is used to exfiltrate secrets, tamper builds, or move laterally into trusted infrastructure.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.