Breaking the Vault: Anatomy of the Salesforce Marketing Cloud Cryptographic and Injection Flaws
Salesforce Marketing Cloud (SFMC) recently orchestrated a critical patching cycle to address a cluster of high-impact vulnerabilities.
These flaws represented a significant threat vector, potentially granting unauthorized actors the ability to read, enumerate, and exfiltrate sensitive marketing emails and subscriber data across multiple tenants—including those belonging to Fortune 500 enterprises.
In the modern enterprise landscape, centralized marketing clouds are the backbone of digital engagement, enabling brands to deliver hyper-personalized, trackable campaigns at massive scale. SFMC (formerly known as ExactTarget) stands as a dominant force in this sector, leveraging complex architectures that power dynamic content through AMPScript, Server-Side JavaScript (SSJS), and deep integrations with relational Data Views.
While this combination of templating and scripting allows for unparalleled personalization, it also dramatically amplifies the “blast radius” when security boundaries are breached. If the underlying engine treats user-supplied data as executable logic, a single vulnerability can compromise an entire subscriber database.
The First Breach: Server-Side Template Injection (SSTI)
The initial risk vector originated within SFMC’s server-side templating stack. To facilitate personalization, marketers use AMPScript and SSJS to pull attributes—such as names or loyalty statuses—directly from subscriber records into email templates. However, the existence of functions like TreatAsContent introduced a dangerous primitive: the ability to treat a string as an active template.
When user-controlled values (like a name field in a sign-up form) are passed into such functions, they cease to be mere data and become executable code. This is a classic Server-Side Template Injection (SSTI) vulnerability.
The risk was compounded by a legacy behavior where Salesforce supported AMPScript within email subject lines. In older configurations, subject templates were evaluated twice by default. An attacker could sign up using a payload such as %%=RowCount(LookupRows("_Subscribers","SubscriberKey",_subscriberkey))=%% in a name field. During the second evaluation pass, the system would execute this code, providing a reliable injection point.
Once an attacker achieves template execution, they can leverage built-in functions like LookupRows to query internal Data Views (e.g., _Subscribers, _Sent, _Job, _SMSMessageTracking, or _Click). This allows for the systematic querying of contact lists and engagement history, effectively turning a personalization tool into a database exfiltration engine.
The Second Breach: Cryptographic Failure and Padding Oracles
An even more profound exposure resided in the implementation of “View Email in Browser” and related CloudPages features. To maintain brand consistency, customers typically map branded subdomains (e.g., view.example.com) to shared SFMC infrastructure. Within these URLs, tenant and message context are encoded in an encrypted qs query parameter.
Security researchers at Searchlight Cyber discovered that the “classic” qs format employed unauthenticated CBC (Cipher Block Chaining) encryption. This implementation behaved as a padding oracle, a cryptographic flaw that allows an attacker to decrypt data and forge new, valid ciphertexts by observing how the server responds to modified padding.

By utilizing the padre tool to exploit the oracle, and subsequently automating the process via the AMPScript MicrositeURL function, researchers were able to forge valid qs values. This allowed them to pivot into features like “Forward to a Friend,” which resolves internal subscriber identifiers (ls) into plain-text email addresses.
The most critical architectural failure was the use of a single static key shared across multiple tenants. Once the cryptographic scheme was cracked, the barrier between tenants collapsed, theoretically allowing an attacker to enumerate subscribers and view private email content across any customer sharing that infrastructure.
Furthermore, an even older URL variant was identified that utilized a primitive “encryption” method—a simple XOR operation with a repeating static key and a checksum. This legacy scheme remained active on modern tenants, enabling high-speed, low-overhead decryption of critical parameters like JobID and ListSubscriber.
Technical Impact and Remediation
The convergence of these vulnerabilities created a catastrophic exploitation scenario. An attacker possessing either an injected template payload or a valid “view email” URL could:
- Exfiltrate Data: Systematically harvest subscriber records, sent message histories, and engagement metrics.
- Cross-Tenant Access: Forge
qstokens to hijack email sessions belonging to entirely different organizations. - Workflow Manipulation: Abuse hard-coded cryptographic material and argument injection within
MicrositeURLto manipulate cloud-based web workflows.
Salesforce has assigned multiple CVEs to address the various root causes, spanning broken cryptography, hard-coded keys, and argument injection flaws.
The Response: Reported on January 16, 2026, Salesforce deployed mitigations between January 21 and 24. While no active malicious exploitation has been confirmed, the remediation was sweeping:
- Migrated Marketing Cloud Engagement to AES-GCM for robust, authenticated link encryption.
- Rotated all compromised cryptographic keys.
- Disabled the dangerous double-evaluation of subject lines.
- Forcibly invalidated all legacy tracking and CloudPages links created before January 21, 2026.
The Takeaway for Security Professionals: This incident serves as a stark reminder that in a SaaS ecosystem, shared infrastructure necessitates absolute cryptographic isolation. Template engines must be audited as high-risk code execution environments, and “home-grown” or legacy cryptographic schemes must be treated as non-existent in the face of modern automated attack tooling.