CVE-2025-9844 in CLI
Summary
by MITRE • 09/23/2025
Uncontrolled Search Path Element vulnerability in Salesforce Salesforce CLI on Windows allows Replace Trusted Executable.This issue affects Salesforce CLI: before 2.106.6.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/24/2025
The vulnerability identified as CVE-2025-9844 represents a critical uncontrolled search path element weakness in Salesforce CLI for Windows platforms that enables attackers to replace trusted executables through malicious path manipulation. This flaw resides in the command-line interface tool used for Salesforce development and deployment operations, specifically impacting versions prior to 2.106.6. The vulnerability stems from improper handling of executable search paths where the CLI does not adequately validate or sanitize the sequence of directories it searches when locating required binaries. This behavior creates an opportunity for attackers to place malicious executables in directories that are searched before legitimate trusted binaries, effectively allowing privilege escalation and code execution within the context of the user running the Salesforce CLI. The issue directly maps to CWE-427 Uncontrolled Search Path Element, which is classified under the Software Fault Pattern taxonomy and is commonly exploited in supply chain attacks where attackers compromise the execution environment by manipulating the search path.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass potential data compromise and system infiltration within Salesforce development environments. When developers execute Salesforce CLI commands, the tool may inadvertently execute malicious code from compromised directories, particularly affecting organizations that utilize default installation paths or have less stringent security controls. Attackers can exploit this vulnerability by placing malicious executables in directories that appear earlier in the system PATH variable, allowing them to hijack the execution flow of legitimate Salesforce CLI operations. This vulnerability is particularly dangerous in enterprise environments where developers may have elevated privileges and where the CLI is frequently used for deployment operations that could provide access to sensitive production systems. The attack vector aligns with ATT&CK technique T1068, which focuses on Local Port/Service Discovery and Privilege Escalation, demonstrating how path manipulation can lead to unauthorized access and system compromise.
Mitigation strategies for CVE-2025-9844 should prioritize immediate patching of Salesforce CLI to version 2.106.6 or later, which contains the necessary fixes to address the uncontrolled search path element vulnerability. Organizations should also implement strict PATH variable management practices, ensuring that trusted directories are prioritized over potentially compromised locations and that the system PATH is regularly audited for suspicious entries. Security teams should enforce least privilege principles for CLI usage, limiting the execution rights of Salesforce CLI to only necessary user accounts and implementing application whitelisting policies to prevent execution of unauthorized binaries. Additional defensive measures include monitoring for unusual CLI execution patterns, implementing process monitoring to detect suspicious executable launches, and conducting regular security assessments of development environments to identify potential path manipulation opportunities. The vulnerability also underscores the importance of secure development practices in CLI tools, emphasizing the need for proper input validation and secure path resolution mechanisms that prevent attackers from exploiting search path weaknesses in enterprise software tools.