A critical vulnerability in the Salesforce CLI installer (sf-x64.exe) enables attackers to achieve arbitrary code execution, privilege escalation, and SYSTEM-level access on Windows systems.
Tracked as CVE-2025-9844, the flaw stems from improper handling of executable file paths by the installer, allowing malicious files to be executed in place of legitimate binaries when the software is obtained from untrusted sources.
Path Hijacking Vulnerability (CVE-2025-9844)
The vulnerability exploits how the Salesforce-CLI installer resolves file paths during installation. When sf-x64.exe runs, it loads several auxiliary executables and DLLs from the current working directory before falling back to the directory containing the installer.
An attacker who places a crafted executable named identically to a legitimate component (for example, sf-autoupdate.exe or sf-config.dll) in the same folder can cause the installer to load and execute the attacker’s code.
Because the installer runs with elevated privileges by default, writing registry keys under HKLM and creating services under LocalSystem, the injected code inherits SYSTEM-level privileges, enabling complete takeover of the host machine.
Upon execution, the installer loads the rogue sf-autoupdate.exe, which escalates privileges by creating a reverse shell service under the LocalSystem account. The attacker then uses the shell to execute commands and successfully retrieves SYSTEM-level output.
| Risk Factors | Details |
| Affected Products | Salesforce CLI installer (sf-x64.exe) versions < 2.106.6 |
| Impact | Arbitrary code execution; privilege escalation to SYSTEM-level access |
| Exploit Prerequisites | Installer obtained from untrusted source; attacker places malicious executable in installer’s working directory; installer run with elevated privileges |
| CVSS 3.1 Score | 7.8 (High) |
Affected Versions and Mitigation
All Salesforce-CLI versions prior to 2.106.6 are impacted by this path hijacking vulnerability.
Importantly, only users who install the CLI from untrusted mirrors or third-party repositories are at risk; installations directly downloaded via the official Salesforce site use a signed installer that enforces strict path resolution and integrity checks.
To remediate, affected users should immediately uninstall any CLI version obtained from unverified sources and perform a thorough system scan for unknown executables or suspicious services.
Salesforce has released version 2.106.6, which fixes the issue by hard-coding absolute file paths and validating digital signatures before loading supplementary executables.
Administrators are advised to enforce installation from trusted endpoints only and to enable Microsoft Defender Application Control (MDAC) policies to restrict execution of unauthorized binaries in installation directories.
Continuous monitoring of system event logs for unexpected service creation or installer execution under non-standard paths will help detect attempted exploits early.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Autonomous Endpoint Management Tools in 2025")
