Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
A critical vulnerability in the Salesforce CLI installer (sf-x64.exe) allows attackers to gain arbitrary code execution, privilege escalation, and SYSTEM-level access on Windows systems.
The vulnerability exploits the way the installer resolves file paths during installation. Salesforce has released version 2.106.6, which addresses the issue by hard-coding absolute file paths and validating digital signatures before loading additional executables.
When sf-x64.exe runs, it loads several executable files and auxiliary DLLs from the current working directory before returning to the directory containing the installer.
An attacker who places a forged executable with the same name as a legitimate component ( for example, sf-autoupdate.exe or sf-config.dll ) in the same folder can cause the installer to load and execute the attacker’s code.
Identified as CVE-2025-9844, the flaw results from the installer improperly handling executable file paths , allowing malicious files to be executed instead of legitimate binaries when the software is obtained from untrusted sources.
Because the installer runs with elevated privileges by default, writing registry keys to HKLM and creating services in LocalSystem, the injected code inherits SYSTEM-level privileges, allowing it to take full control of the host machine.
Upon execution, the installer loads the rogue sf-autoupdate.exe, which escalates privileges by creating a reverse shell service under the LocalSystem account. The attacker then uses the shell to execute commands on the operating system. All versions of Salesforce-CLI prior to 2.106.6 are affected by this path hijacking vulnerability.
It’s important to note that only users installing the CLI from untrusted mirrors or third-party repositories are at risk; installations downloaded directly from the official Salesforce website use a signed installer that enforces rigorous path resolution and integrity checks.
To fix the issue, affected users should immediately uninstall any versions of CLI obtained from unverified sources and run a full system scan for unknown executables or suspicious services.
Administrators are advised to enforce installation only from trusted endpoints and enable Microsoft Defender Application Control (MDAC) policies to restrict the execution of unauthorized binaries in installation directories. Additionally, continuous monitoring of system event logs is required to detect installers running in non-standard locations.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
