Cyber Resilience

CVE-2026-22585

Critical

Published: 24 January 2026

Published
24 January 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 30.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22585 is a critical-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Salesforce Marketing Cloud Engagement. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22585 is a Use of a Broken or Risky Cryptographic Algorithm vulnerability (CWE-327) in Salesforce Marketing Cloud Engagement. It affects the CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage modules in versions prior to January 21st, 2026. The vulnerability enables Web Services Protocol Manipulation and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Remote unauthenticated attackers can exploit this vulnerability over the network without requiring privileges or user interaction. Successful exploitation allows manipulation of web services protocols, leading to high impacts on confidentiality, integrity, and availability of affected systems.

Salesforce's security advisory at https://help.salesforce.com/s/articleView?id=005299346&type=1 details mitigation steps. The issue is resolved in Marketing Cloud Engagement updates released on or after January 21st, 2026.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement:…

more

before January 21st, 2026.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated exploitation of a critical vulnerability in public-facing Salesforce web modules (CloudPages etc.) matches T1190 exactly; broken crypto enables protocol manipulation but does not map to additional distinct techniques.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22586Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22582Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22583Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22584Same vendor: Salesforce
CVE-2026-21718Shared CWE-327
CVE-2022-3365Shared CWE-327
CVE-2025-68702Shared CWE-327
CVE-2024-41763Shared CWE-327
CVE-2024-22347Shared CWE-327
CVE-2025-63912Shared CWE-327

Affected Assets

salesforce
marketing cloud engagement
≤ 2026-01-21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-13 requires FIPS-validated or NIST-recommended cryptographic mechanisms, directly preventing the use of broken or risky algorithms exploited in CVE-2026-22585 for web services protocol manipulation.

prevent

SI-2 mandates timely identification, reporting, and remediation of flaws, enabling patching of the affected Salesforce Marketing Cloud Engagement modules before January 21st, 2026 updates.

detect

RA-5 requires vulnerability scanning to identify the use of risky cryptographic algorithms or this specific CVE in CloudPages and related modules.

References