Press ESC to close

AI Agent Risks Exposed in Salesforce Agentforce

Introduction

AI agents like Salesforce Agentforce represent the next leap in CRM automation—but also a massive new attack surface. In September 2025, Noma Labs disclosed ForcedLeak—a critical CVSS 9.4 vulnerability chain that revealed how AI-driven systems can be exploited through indirect prompt injection attacks.

What Is ForcedLeak?

ForcedLeak allowed attackers to:

  • Embed malicious instructions inside Web-to-Lead forms.

  • Exploit Salesforce’s Content Security Policy (CSP) bypass.

  • Exfiltrate sensitive CRM data (contacts, sales pipelines, integration data).

Unlike chatbots, Agentforce executes autonomous multi-step tasks, meaning a hidden payload could run during normal employee workflows—without detection.

Who Was at Risk?

Any company using Salesforce Agentforce Web-to-Lead functionality, especially in:

  • Sales & Marketing campaigns

  • Customer acquisition workflows

  • External event lead collection (conferences, trade shows, web forms)

Key Business Impacts

  • CRM Data Exposure: Customer records, sales strategies, internal communications

  • Regulatory Risk: Compliance failures and breach reporting penalties

  • Reputation Damage: Loss of customer trust

  • Blast Radius: Attackers could pivot into integrated systems & APIs, compounding impact

Attack Path Summary

  1. Injection: Attacker submits crafted lead data via Salesforce Web-to-Lead.

  2. Trigger: Employee queries AI about the lead.

  3. Execution: Agentforce processes malicious instructions as legitimate.

  4. Exfiltration: Data sent through an expired whitelisted CSP domain.

How Salesforce Responded

Salesforce quickly:

  • Patched Agentforce to enforce Trusted URLs.

  • Secured expired whitelist domains.

  • Released mitigation guidance for customers.

What Organizations Should Do Now

  • Apply Salesforce’s patches and enforce Trusted URLs.

  • Audit historical leads for suspicious instructions.

  • Implement input sanitization across all user-controlled data.

  • Deploy AI security monitoring for indirect prompt injection patterns.

Conclusion

ForcedLeak highlights a new reality: AI agents expand the attack surface beyond simple prompts. With autonomous decision-making, memory, and integrations, they can unknowingly become conduits for hidden attacker logic.

See also  How Can I Recover From A Data Breach?

Organizations must shift to AI-native security practices—from prompt injection detection to strict CSP controls—to prevent the next exploit.

Related posts:

What Is The Internet Of Things (IoT), And What Are Its Security Risks? What Are The Security Risks Associated With BYOD (Bring Your Own Device) Policies? What Are The Security Risks Of Using Outdated Software? How Do I Conduct A Risk Assessment For Cybersecurity? What Is Social Engineering, And How Can I Avoid It? The Ghosts in Your NetworkThe Ghosts in Your Network

CyberBestPractices

I am CyberBestPractices, the author behind EncryptCentral's Cyber Security Best Practices website. As a premier cybersecurity solution provider, my main focus is to deliver top-notch services to small businesses. With a range of advanced cybersecurity offerings, including cutting-edge encryption, ransomware protection, robust multi-factor authentication, and comprehensive antivirus protection, I strive to protect sensitive data and ensure seamless business operations. My goal is to empower businesses, even those without a dedicated IT department, by implementing the most effective cybersecurity measures. Join me on this journey to strengthen your cybersecurity defenses and safeguard your valuable assets. Trust me to provide you with the expertise and solutions you need.