CVE-2025-9844 Overview
CVE-2025-9844 is an Uncontrolled Search Path Element vulnerability [CWE-427] affecting Salesforce CLI on Windows. The flaw allows an attacker to replace a trusted executable loaded by the CLI, leading to arbitrary code execution in the context of the user running the CLI. Salesforce CLI versions before 2.106.6 are affected. The issue carries a CVSS 3.1 score of 8.8 and affects confidentiality, integrity, and availability. Exploitation requires low privileges and no user interaction, making it attractive on developer workstations where the CLI is commonly installed.
Critical Impact
An attacker with low-privileged access to a Windows host can plant a malicious executable in a writable directory on the search path, causing Salesforce CLI to execute attacker-controlled code with the invoking user's privileges.
Affected Products
- Salesforce CLI on Windows, versions prior to 2.106.6
Discovery Timeline
- 2025-09-23 - CVE-2025-9844 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-9844
Vulnerability Analysis
The vulnerability is classified as Uncontrolled Search Path Element [CWE-427]. Salesforce CLI on Windows resolves one or more executable dependencies without enforcing a fully qualified, trusted path. When the CLI launches, Windows searches directories in a defined order, including the current working directory and entries in PATH. If an attacker can write an executable with a matching name to a directory that appears earlier in the search order than the legitimate binary, the CLI loads the attacker's file instead of the trusted one.
Because the CLI runs with the privileges of the invoking user, the planted executable inherits those privileges. On developer endpoints, this often includes access to source code, signed deployment credentials, OAuth tokens, and connected org sessions. The flaw is local in execution but network-accessible in scoring because the malicious payload can be delivered through any standard distribution channel that lands the file on disk.
Root Cause
The root cause is the CLI's reliance on relative or unqualified executable lookups during process invocation on Windows. Without absolute path resolution or signature verification, Windows search order rules permit a same-named binary in a higher-priority directory to be selected. Writable directories on PATH, or the current working directory during CLI invocation, become viable plant locations.
Attack Vector
An attacker first achieves the ability to write a file to a directory Salesforce CLI will search before reaching the legitimate executable. This may be a user-writable PATH entry, an installer staging directory, or the working directory of a developer shell. The attacker drops a malicious binary using the trusted executable's name. When the user runs a routine sf or sfdx command, Windows loads the planted binary, and the attacker gains code execution. Stolen Salesforce credentials and CI/CD secrets are typical post-exploitation objectives.
No verified public exploit code is available. Refer to the Salesforce Help Article for vendor technical details.
Detection Methods for CVE-2025-9844
Indicators of Compromise
- Unexpected executable files appearing in user-writable directories listed in the system or user PATH.
- Salesforce CLI processes (sf.exe, sfdx.exe) spawning child processes from non-standard install paths.
- Outbound network connections initiated by CLI-adjacent binaries to domains unrelated to Salesforce infrastructure.
Detection Strategies
- Inventory installed Salesforce CLI versions across Windows endpoints and flag any below 2.106.6.
- Hunt for executables in PATH directories that share names with binaries the CLI invokes, but reside outside the official install directory.
- Alert on file-write events to user-writable PATH locations followed by execution of the same file within a short window.
Monitoring Recommendations
- Enable process creation and command-line auditing on developer workstations, and forward events to a centralized analytics platform.
- Monitor PATH environment variable modifications for both system and user scopes.
- Track Salesforce CLI telemetry and correlate process lineage to detect anomalous parent or child relationships.
How to Mitigate CVE-2025-9844
Immediate Actions Required
- Upgrade Salesforce CLI to version 2.106.6 or later on all Windows hosts.
- Audit PATH entries on developer machines and remove or restrict any user-writable directories that precede system paths.
- Rotate Salesforce credentials, OAuth tokens, and connected app secrets used on potentially exposed workstations.
Patch Information
Salesforce addressed the issue in Salesforce CLI 2.106.6. Apply the update through the standard CLI upgrade workflow or via the package manager used to install the tool. Review the Salesforce Help Article for vendor guidance.
Workarounds
- Restrict write permissions on every directory listed in the system and user PATH to administrators only.
- Invoke Salesforce CLI from a controlled working directory that does not contain untrusted files.
- Apply application allowlisting to block execution of unsigned binaries from user profile directories.
# Verify installed Salesforce CLI version on Windows (PowerShell)
sf --version
# Upgrade to a fixed release
npm install --global @salesforce/cli@latest
# Audit PATH for user-writable directories
$env:Path -split ';' | ForEach-Object {
if (Test-Path $_) {
$acl = Get-Acl $_
[PSCustomObject]@{ Path = $_; Owner = $acl.Owner }
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
