A recently published security report has unveiled a critical vulnerability chain in Salesforce AgentForce, dubbed ForcedLeak, that exposes a dangerous new class of AI-specific threats in enterprise software. The flaw, rated a critical CVSS score of 9.4, demonstrates how the expanded attack surface of autonomous AI agents can be exploited using indirect prompt injection attacks.
The ForcedLeak Vulnerability in Salesforce
ForcedLeak targets Salesforce AgentForce, an AI agent platform integrated into the Customer Relationship Management (CRM) system designed to autonomously manage complex business tasks like lead handling and customer outreach. The core issue lies in how these advanced AI agents process external information not merely as static data, but as dynamic, executable instructions. Unlike simpler chatbots, autonomous AI agents possess reasoning, internal memory, and tool-calling abilities, which significantly broadens their vulnerability to attack.
Noma Labs, the security firm that discovered the vulnerability, found that attackers could inject malicious instructions directly into Salesforce’s Web-to-Lead form submissions. When internal employees later asked AgentForce to perform a trusted query about these leads, the AI would unknowingly process the embedded payload, effectively transforming trusted CRM data into an attack vector. This flaw allowed for unauthorized access to sensitive CRM data, including customer contacts, sales strategies, and details about third-party integrations.
Attack Mechanics and Technical Details
The researchers mapped out a multi-phase attack that relied on stealth and trust to succeed. The attacker first identified the "Description" field in Web-to-Lead forms as the ideal injection point, leveraging its 42,000-character limit. They then crafted a realistic-looking lead that contained malicious instructions disguised to look like legitimate customer data.
The attack was triggered by seemingly innocuous employee actions, such as a query like, “Please, check the lead with name ‘Alice Bob’ and answer their questions…” This prompt would instruct the AI to parse the malicious instructions hidden within the lead data and execute them. To exfiltrate the stolen data without detection, the attacker exploited a Content Security Policy (CSP) bypass. They purchased an expired domain, my-salesforce-cms.com, which was still whitelisted by Salesforce, allowing the compromised data to be transmitted out through a seemingly trusted channel.
Impact and Salesforce’s Response
Any organization using Salesforce AgentForce with the Web-to-Lead functionality, common in sales and marketing environments that constantly ingest external prospect data, was at risk. The implications include potential exposure of customer data, internal communications, and sales pipeline details, leading to severe regulatory risks and reputational damage. The research also highlighted the possibility of time-delayed execution, where payloads lie dormant until triggered by a future employee action, making detection extremely challenging.
Salesforce was notified on July 28, 2025. They investigated the issue and released a patch on September 8, 2025, which implemented Trusted URLs Enforcement for both AgentForce and their Einstein AI platform. Salesforce also secured the expired domain and strengthened its CSP policies to prevent similar exploits. The vulnerability was publicly disclosed on September 25, 2025.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
