CVE-2025-9844 is an Uncontrolled Search Path Element vulnerability (CWE-427) affecting the Salesforce Command Line Interface (CLI) on Windows platforms. The vulnerability arises because the CLI improperly handles the search path for executables, allowing an attacker with local privileges to insert or replace a trusted executable in a directory that the CLI searches before the legitimate executable. When the CLI runs, it may execute the malicious replacement instead of the intended binary, leading to arbitrary code execution with the privileges of the CLI user. This can compromise system confidentiality, integrity, and availability. The affected versions are all Salesforce CLI releases before 2.106.6, which do not properly validate or restrict the search path elements. The vulnerability requires local privileges but no user interaction, making it easier to exploit in environments where multiple users share systems or where attackers have gained limited access. The CVSS v3.1 base score is 8.8, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered critical for organizations relying on Salesforce CLI for development and deployment tasks on Windows.

The impact of CVE-2025-9844 is substantial for organizations using Salesforce CLI on Windows. Successful exploitation allows attackers to execute arbitrary code with the privileges of the CLI user, potentially leading to full system compromise. This can result in unauthorized access to sensitive Salesforce development environments, leakage or manipulation of proprietary source code, and disruption of deployment pipelines. The integrity of development and deployment processes can be undermined, causing cascading effects on production environments and business operations. Additionally, if attackers gain persistence through this vector, they may establish footholds for further lateral movement within corporate networks. The vulnerability's ease of exploitation (low complexity, no user interaction) increases the risk, especially in multi-user or shared workstation environments. Organizations with extensive Salesforce development activities, particularly those integrating CLI tools into automated workflows, face elevated risks of operational disruption and data breaches.

To mitigate CVE-2025-9844, organizations should immediately upgrade Salesforce CLI to version 2.106.6 or later once available. Until patches are applied, restrict write permissions on directories included in the executable search path to prevent unauthorized replacement of trusted executables. Implement application whitelisting and code integrity policies to detect and block execution of unauthorized binaries. Use Windows security features such as Controlled Folder Access and AppLocker to limit executable modifications and execution. Regularly audit and monitor directories in the PATH environment variable for unexpected changes or suspicious files. Employ endpoint detection and response (EDR) solutions to identify anomalous process executions related to the CLI. Educate users about the risks of running CLI tools on shared or untrusted systems. Finally, isolate development environments and limit local user privileges to reduce the attack surface.