Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Linux and Ubiquiti Flaws, Accenture Breach, Android Exploit
July 12, 2026
Microsoft Teams macOS Bug Exposes Screen Sharing Content
July 12, 2026
Apple Sues OpenAI and Ex-Staff Over Alleged Trade Secret Theft
July 12, 2026
Home/Threats/Critical Salesforce Marketing Cloud Flaw Exposed Email Data
Threats

Critical Salesforce Marketing Cloud Flaw Exposed Email Data

Key Takeaways Multiple critical vulnerabilities in Salesforce Marketing Cloud (SFMC) could have allowed unauthorized access to sensitive email data across hundreds of organizations. The flaws stemmed...

Sarah simpson
Sarah simpson
May 6, 2026 4 Min Read
55 0

Key Takeaways

  • Multiple critical vulnerabilities in Salesforce Marketing Cloud (SFMC) could have allowed unauthorized access to sensitive email data across hundreds of organizations.
  • The flaws stemmed from insecure scripting features and an outdated, easily crackable encryption method for email viewing links.
  • Attackers could have potentially read all past emails sent by any company using the platform, impacting millions of users.
  • Salesforce has patched the vulnerabilities, assigned several CVE IDs (CVE-2026-22585, CVE-2026-22586, CVE-2026-22582, CVE-2026-22583, CVE-2026-2298), and confirmed no evidence of exploitation.
  • Organizations utilizing SFMC are advised to review email templates and regenerate old email view links.

A series of critical security vulnerabilities within Salesforce Marketing Cloud (SFMC), a widely used email marketing platform, could have led to the widespread exposure of private email data for millions of users across hundreds of organizations. These flaws, now remediated, were rooted in the platform’s embedded scripting capabilities and a legacy encryption method that remained in active use for years.

Table Of Content

  • Key Takeaways
  • Salesforce Marketing Cloud Vulnerability Details
  • Broken Encryption Enabled Cross-Tenant Email Access
  • What You Should Do

At their most severe, these vulnerabilities presented an attacker with the capability to surreptitiously access and read every email ever disseminated by any company leveraging the SFMC platform. A detailed report from published by Searchlight Cyber details the findings.

Salesforce Marketing Cloud, previously known as ExactTarget, stands as a cornerstone in the digital marketing landscape, facilitating mass email communications for numerous enterprises across critical sectors such as aviation, finance, energy, and technology. Its extensive adoption, particularly among Fortune 500 companies, makes it an attractive target for threat actors seeking to harvest vast quantities of customer data through a single, coordinated attack.

Researchers at Searchlight Cyber were responsible for uncovering and reporting these vulnerabilities. Their investigation revealed that the issues primarily revolved around template injection flaws combined with a fundamentally broken encryption scheme used to secure email viewing links. A critical aspect of the vulnerability was SFMC’s shared infrastructure and the use of a single, static encryption key across all its customers. This design flaw meant that a compromise within one tenant could cascade, potentially exposing all other tenants on the same network.

The attack vector typically began with a template injection. This involved malicious user-supplied input, for instance, a script payload embedded within a name field during a newsletter subscription, being executed by the platform’s scripting engine. SFMC supports scripting languages like AMPScript and SSJS, which are used to personalize email content. When user input was not adequately sanitized before being processed by these engines, attackers could inject and execute their own instructions within the email rendering system.

Once injected, the malicious code could rapidly escalate its privileges. Attackers could gain access to SFMC’s internal system tables, enabling them to extract sensitive data such as contact lists, the content of sent emails, SMS records, and click-tracking data from any organization hosted on the platform. Searchlight Cyber researchers successfully demonstrated the feasibility of this attack, confirming vulnerable companies across nearly all major industries simply by signing up to mailing lists with crafted script payloads.

Salesforce Marketing Cloud Vulnerability Details

One of the most pervasive issues identified was the handling of email subject lines within SFMC. The platform, by default, would evaluate AMPScript in subject lines twice before dispatching an email. This double evaluation meant that any subscriber data present in the subject line would be re-processed as live code during the second pass, effectively turning every personalized subject line into a potential entry point for attackers. Developers had no clear indication that this behavior posed a security risk.

Salesforce had previously attempted to eliminate this double evaluation in 2023 but reverted the change due to customer feedback. Following Searchlight Cyber’s disclosure, Salesforce has permanently disabled the double evaluation of AMPScript in subject lines, thereby closing this specific attack vector.

Salesforce has since addressed these vulnerabilities and assigned the following CVE IDs:

  • CVE-2026-22585
  • CVE-2026-22586
  • CVE-2026-22582
  • CVE-2026-22583
  • CVE-2026-2298

Broken Encryption Enabled Cross-Tenant Email Access

The second critical vulnerability involved the method SFMC used to encrypt query strings embedded in email view links. These links allow recipients to open an email in a web browser. The legacy “classic” format was protected by an XOR cipher with a fixed, repeating key. This encryption method is fundamentally insecure by modern cryptographic standards.

The shared nature of SFMC’s infrastructure meant that a single, static key was utilized globally for all customers. This allowed an attacker, once they managed to crack the encryption of one link, to forge new links capable of accessing emails from any other company on the platform. Researchers demonstrated this using a CBC padding oracle attack, which allowed them to decrypt and re-encrypt query parameters to read emails across different tenants. A more efficient variant of this attack reduced the number of required requests from over ten thousand to merely two per guess, making large-scale data harvesting a technically viable threat.

Salesforce was informed of these issues on January 16, 2026, and swiftly deployed a fix by January 24, 2026. The company implemented AES-GCM encryption, invalidated all email view links created before January 23, 2026, and confirmed that no unauthorized access to customer data had been detected.

What You Should Do

  • Audit Email Templates: Review all email templates for any unsafe usage of the TreatAsContent function or other scripting constructs that process user input without proper sanitization.
  • Review Subject Line Input: Ensure that any user-supplied data flowing into email subject lines is rigorously validated and sanitized to prevent script injection.
  • Regenerate Email View Links: Confirm that all active email view links within your SFMC instance have been regenerated under the new, updated encryption scheme. Links created before January 23, 2026, are no longer valid and should be replaced.
  • Stay Updated: Regularly check Salesforce security advisories and ensure your SFMC instance is running the latest patched versions.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEPatchSecurityVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical OpenClaw DeepSeek AI Skill Exploits Agentic Workflows to Deliver RAT and Stealer

Next Post

Critical Fanwei E-cology10 Vulnerability Exposes Credentials, Allows Session Hijacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
281 Android VPN Apps Leak Sensitive Data, Transfer Data Unencrypted
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us