CVE-2026-22585

Critical

Published: 24 January 2026

Published

24 January 2026

Modified

12 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 3.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22585 is a critical-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Salesforce Marketing Cloud Engagement. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-13 Cryptographic Protection good match

prevent

SC-13 requires FIPS-validated or NIST-recommended cryptographic mechanisms, directly preventing the use of broken or risky algorithms exploited in CVE-2026-22585 for web services protocol manipulation.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and remediation of flaws, enabling patching of the affected Salesforce Marketing Cloud Engagement modules before January 21st, 2026 updates.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

RA-5 requires vulnerability scanning to identify the use of risky cryptographic algorithms or this specific CVE in CloudPages and related modules.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote unauthenticated exploitation of a critical vulnerability in public-facing Salesforce web modules (CloudPages etc.) matches T1190 exactly; broken crypto enables protocol manipulation but does not map to additional distinct techniques.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement:…

before January 21st, 2026.

Deeper analysisAI

CVE-2026-22585 is a Use of a Broken or Risky Cryptographic Algorithm vulnerability (CWE-327) in Salesforce Marketing Cloud Engagement. It affects the CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage modules in versions prior to January 21st, 2026. The vulnerability enables Web Services Protocol Manipulation and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Remote unauthenticated attackers can exploit this vulnerability over the network without requiring privileges or user interaction. Successful exploitation allows manipulation of web services protocols, leading to high impacts on confidentiality, integrity, and availability of affected systems.

Salesforce's security advisory at https://help.salesforce.com/s/articleView?id=005299346&type=1 details mitigation steps. The issue is resolved in Marketing Cloud Engagement updates released on or after January 21st, 2026.