Salesforce Marketing Cloud Vulnerabilities Expose Cross-Tenant Subscriber Data Risks

Salesforce Marketing Cloud remains a cornerstone for large enterprises that run personalized email campaigns, but its centralized architecture also creates a single point of failure. The recent disclosures highlight how server‑side templating features like AMPScript and SSJS can be weaponized when input validation is insufficient. By injecting payloads into subject lines or content fields, attackers can trigger a second‑stage evaluation that executes arbitrary code, granting access to internal data views such as _Subscribers, _Sent, and _Click. This vector is especially concerning because it leverages native functions that marketers already trust for dynamic content generation.

A second, more systemic issue stems from the platform’s handling of encrypted query‑string (qs) parameters used in CloudPages and the “view email in browser” feature. Researchers found that the legacy CBC implementation acted as a padding oracle, and the static encryption key shared across tenants allowed token forgery. Coupled with an older XOR‑based scheme still active on modern tenants, threat actors could rapidly decrypt and manipulate parameters like JobID and ListSubscriber, effectively enumerating subscriber identities across unrelated organizations. These cryptographic oversights illustrate how legacy code can persist in cloud services, expanding the attack surface long after newer safeguards are deployed.

Salesforce’s response—assigning multiple CVEs, rotating keys, and migrating to AES‑GCM—addresses the immediate cryptographic flaws, but the incident serves as a cautionary tale for SaaS providers. Companies must regularly audit legacy components, enforce strict input sanitization, and adopt defense‑in‑depth encryption practices. For marketers, the episode underscores the need for vigilant monitoring of third‑party platforms and rapid patch adoption to safeguard consumer data and maintain regulatory compliance.