A critical vulnerability named **ForcedLeak** was discovered in Salesforce’s **Agentforce** AI platform, enabling external attackers to exploit **prompt injection** via an expired trusted domain (`my-salesforce-cms.com`), purchased for $5. By leveraging the **Web-to-Lead** feature’s unsecured **description field** (42,000-character limit), researchers embedded malicious instructions that tricked AI agents into querying and exfiltrating **sensitive customer lead data**—including email addresses—from Salesforce’s CRM. The attack bypassed traditional security controls by abusing AI’s trust boundaries, sending stolen data to an attacker-controlled server via a crafted HTML snippet. While Salesforce patched the flaw by enforcing **trusted URL allow-lists** and re-securing the expired domain, the vulnerability underscored risks in AI-driven automation, particularly when human oversight is lacking. The exploit, rated **9.4 (Critical)** via CVSS 4.0, highlighted how low-cost domain acquisitions and prompt injection can facilitate large-scale data breaches. Salesforce confirmed no evidence of abuse but acknowledged the evolving threat landscape of AI security.
Source: https://www.theregister.com/2025/09/26/salesforce_agentforce_forceleak_attack/
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal5403154092725",
"linkid": "salesforce",
"type": "Vulnerability",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cloud Computing / CRM',
'location': 'San Francisco, California, USA',
'name': 'Salesforce',
'size': 'Enterprise (150,000+ employees)',
'type': 'Corporation'}],
'attack_vector': ['Indirect Prompt Injection',
'DNS Misconfiguration',
'Expired Trusted Domain Exploitation'],
'customer_advisories': 'Customers advised to review AI agent configurations '
'and trusted URL settings.',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': 'Partial (Email '
'addresses, '
'potentially '
'names/companies)',
'sensitivity_of_data': 'Moderate (Business contact data, no '
'financial/PII confirmed)',
'type_of_data_compromised': ['Customer Lead Information',
'Email Addresses']},
'date_publicly_disclosed': '2023-09-07',
'date_resolved': '2023-09-08',
'description': 'A now-fixed flaw in Salesforce’s Agentforce allowed external '
'attackers to steal sensitive customer data via prompt '
"injection. The vulnerability, dubbed 'ForcedLeak,' exploited "
'a DNS misconfiguration and an expired trusted domain '
'(my-salesforce-cms.com) purchased by researchers for $5. '
'Attackers could inject malicious prompts into the Web-to-Lead '
"form's description field (42,000-character limit), tricking "
'AI agents into querying CRM records and exfiltrating data to '
'an attacker-controlled server. Salesforce patched the issue '
'by enforcing trusted URL allow-lists for Agentforce and '
'Einstein Generative AI agents.',
'impact': {'brand_reputation_impact': 'Moderate (Public disclosure of '
'critical AI security flaw)',
'data_compromised': ['Customer Lead Data',
'Email Addresses',
'Potentially Other CRM Records'],
'identity_theft_risk': 'Potential (Exposed email addresses and '
'lead data)',
'operational_impact': 'High (Risk of sensitive data exfiltration '
'via AI agents)',
'systems_affected': ['Salesforce Agentforce',
'Einstein Generative AI Agents',
'Web-to-Lead Feature']},
'initial_access_broker': {'entry_point': 'Web-to-Lead Form (Description '
'Field)',
'high_value_targets': ['CRM Lead Data',
'Customer Email Addresses']},
'investigation_status': 'Resolved (Vulnerability patched; no evidence of '
'malicious exploitation)',
'lessons_learned': 'The incident highlights the need for: (1) Proactive AI '
'security governance, (2) Strict input validation for AI '
'prompts, (3) Domain lifecycle management to prevent '
'expired domain exploitation, (4) Human oversight for '
'AI-agent interactions, and (5) Defense-in-depth for '
'AI-integrated business tools against prompt injection '
'attacks.',
'motivation': 'Research/Proof-of-Concept (No evidence of malicious '
'exploitation)',
'post_incident_analysis': {'corrective_actions': ['Enforced trusted URL '
'allow-lists for Agentforce '
'and Einstein AI agents.',
'Re-secured expired domain '
'and implemented domain '
'monitoring.',
'Released patches to block '
'data exfiltration via '
'untrusted URLs.',
'Public disclosure to raise '
'awareness of AI prompt '
'injection risks.'],
'root_causes': ['DNS misconfiguration allowing '
'expired domain '
'(my-salesforce-cms.com) to be '
'purchased by attackers.',
'Lack of input validation for AI '
'prompt fields (e.g., '
'42,000-character description '
'field).',
'Over-trust in AI agent '
'interactions with external data '
'sources.',
'Insufficient URL allow-listing '
'for AI-generated outputs.']},
'recommendations': ['Implement strict character limits and input sanitization '
'for all AI prompt fields.',
'Enforce allow-lists for all external URLs called by AI '
'agents.',
'Monitor domain registrations for expired trusted '
'domains.',
'Conduct regular red-team exercises for AI systems to '
'test prompt injection resilience.',
'Integrate AI-specific security controls into traditional '
'SOC workflows.',
'Educate developers on secure AI prompt design patterns.'],
'references': [{'date_accessed': '2023-09-08',
'source': 'The Register',
'url': 'https://www.theregister.com/2023/09/08/salesforce_agentforce_prompt_injection/'},
{'date_accessed': '2023-09-07',
'source': 'Noma Security Blog'}],
'response': {'communication_strategy': ['Public Statement to The Register',
'Blog Post by Noma Security'],
'containment_measures': ['Enforced Trusted URL Allow-Lists for '
'Agentforce/Einstein AI',
'Re-secured Expired Domain '
'(my-salesforce-cms.com)'],
'incident_response_plan_activated': True,
'remediation_measures': ['Patches to prevent AI agents from '
'sending data to untrusted URLs']},
'stakeholder_advisories': 'Salesforce notified customers via public statement '
'and enforced security controls.',
'threat_actor': 'Security Researchers (Noma Security)',
'title': 'ForcedLeak: Salesforce Agentforce AI Prompt Injection Vulnerability',
'type': ['Data Breach', 'AI Security Vulnerability', 'Prompt Injection'],
'vulnerability_exploited': 'ForcedLeak (CVE-not-applicable; CVSS v4.0: 9.4 - '
'Critical)'}