A recently disclosed vulnerability in the Salesforce Command Line Interface (CLI) installer has raised serious security concerns, as it allows attackers to execute arbitrary code with SYSTEM privileges on Windows endpoints.
Tracked as CVE-2025-9844, this flaw stems from improper handling of executable file paths during installation and can be leveraged through social engineering tactics.
Organizations using versions of the Salesforce-CLI installer before 2.106.6 are urged to verify the source of their installer packages and apply necessary protective measures immediately.
Background
Salesforce-CLI is a powerful tool widely adopted by developers and system administrators to automate and script interactions with the Salesforce platform.
The installer executable (sf-x64.exe) downloads and sets up necessary components on Windows machines.
Attackers exploiting CVE-2025-9844 trick users into downloading a malicious installer from untrusted sources.
When executed, the installer fails to validate the execution path for its auxiliary executables, allowing a planted malicious file in the current working directory to be invoked instead of the intended legitimate binary.
Successful exploitation grants SYSTEM-level privileges, effectively bypassing user-level restrictions and enabling full control over the target host.
Attack Mechanics
The vulnerability leverages a combination of path-based hijacking and social engineering.
An attacker entices a user to download what appears to be the authentic Salesforce-CLI installer but includes a fake sf-x64.exe alongside a malicious executable named identically to one of the installer’s helper binaries.
During installation, the installer implicitly trusts the local directory over system paths when launching these components. Once launched, the malicious helper binary executes with SYSTEM context.
Post-exploitation activities may include deploying backdoors, harvesting credentials, disabling security controls, or laterally moving across the network.
Indicators of compromise often include unexpected entries in the Windows Registry under the Run keys or anomalous processes spawned from temporary folders.
Administrators should immediately verify the origin of Salesforce-CLI installers in use and ensure they have been obtained directly from the official Salesforce distribution channels.
Any installer obtained from third-party or unverified websites should be considered suspect. Systems that may have run untrusted installers require thorough endpoint scans for malware or suspicious artifacts.
Implementing application allow-listing can protect against the execution of unauthorized binaries, while regular review of startup entries and process trees can help detect post-exploitation activity.
Salesforce has issued version 2.106.6 of the CLI installer, which properly validates executable paths and mitigates this vulnerability.
All affected users are advised to upgrade without delay.
CVE Details Table
| CVE Identifier | Affected Product | Impact | Exploit Prerequisites | CVSS 3.1 Score |
|---|---|---|---|---|
| CVE-2025-9844 | Salesforce CLI installer (sf-x64.exe < 2.106.6) | Arbitrary code execution; SYSTEM access | Victim executes installer from an untrusted source; a malicious helper binary is present in the execution directory | Not yet assigned |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Organizations using versions of the Salesforce-CLI installer before 2.106.6 are urged to verify the source of their installer packages and apply necessary protective measures immediately.){kind=link}