A significant security flaw has been identified in the Salesforce Command Line Interface (CLI) installer, specifically affecting the `sf-x64.exe` executable on Windows platforms. This vulnerability, cataloged as CVE-2025-9844, arises from improper handling of executable file paths during the installation process. Exploiting this flaw allows malicious actors to execute arbitrary code, escalate privileges, and gain SYSTEM-level access on compromised systems.
Understanding the Path Hijacking Vulnerability (CVE-2025-9844):
The core issue lies in the way the Salesforce CLI installer resolves file paths when initiating the installation. During execution, `sf-x64.exe` attempts to load auxiliary executables and Dynamic Link Libraries (DLLs) from the current working directory before defaulting to its own directory. This behavior opens the door for attackers to perform a path hijacking attack.
By placing a malicious executable or DLL with the same name as a legitimate component (e.g., `sf-autoupdate.exe` or `sf-config.dll`) in the same directory as the installer, an attacker can trick the installer into loading and executing the rogue file. Given that the installer operates with elevated privileges—capable of writing registry keys under `HKLM` and creating services under the `LocalSystem` account—the malicious code inherits these high-level privileges. This inheritance enables the attacker to fully compromise the host machine.
For instance, upon execution, the installer may inadvertently load a malicious `sf-autoupdate.exe`, which could then establish a reverse shell service under the `LocalSystem` account. This setup grants the attacker the ability to execute commands remotely and obtain SYSTEM-level outputs, effectively taking control of the system.
Risk Assessment:
– Affected Products: Salesforce CLI installer (`sf-x64.exe`) versions prior to 2.106.6.
– Impact: Potential for arbitrary code execution and privilege escalation to SYSTEM-level access.
– Exploit Prerequisites:
– The installer is obtained from untrusted sources.
– A malicious executable is placed in the installer’s working directory.
– The installer is executed with elevated privileges.
– CVSS 3.1 Score: 7.8 (High)
Affected Versions and Recommended Mitigation Strategies:
All versions of the Salesforce CLI installer before 2.106.6 are susceptible to this path hijacking vulnerability. It’s crucial to note that this risk primarily affects users who have downloaded the installer from unverified mirrors or third-party repositories. Installations obtained directly from Salesforce’s official website utilize a signed installer that enforces strict path resolution and integrity checks, mitigating this risk.
Immediate Actions for Affected Users:
1. Uninstall Unverified Versions: If you have installed the CLI from untrusted sources, promptly uninstall it.
2. System Scan: Conduct a comprehensive system scan to detect and remove any unknown executables or suspicious services that may have been introduced.
3. Update to Secure Version: Salesforce has addressed this vulnerability in version 2.106.6 by implementing hard-coded absolute file paths and validating digital signatures before loading supplementary executables. Users should download and install this updated version from Salesforce’s official site.
Preventive Measures for Administrators:
– Enforce Trusted Installations: Ensure that installations are performed exclusively from trusted endpoints to prevent the introduction of malicious code.
– Implement Application Control Policies: Utilize Microsoft Defender Application Control (MDAC) policies to restrict the execution of unauthorized binaries within installation directories.
– Monitor System Logs: Regularly review system event logs for signs of unexpected service creation or installer execution from non-standard paths. Early detection of such activities can help in mitigating potential exploits.
Conclusion:
The discovery of CVE-2025-9844 underscores the critical importance of sourcing software from trusted and verified sources. Users and administrators must remain vigilant, ensuring that all installations are performed from official channels and that systems are regularly updated to incorporate the latest security patches. By adhering to these practices, organizations can significantly reduce the risk of exploitation and maintain the integrity of their systems.
