Salesforce Marketing Cloud Engagement employs a broken or risky cryptographic algorithm in several web‑page and data‑synchronization modules—CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage. This weakness, classified as CWE‑327, undermines the integrity of the Web Services Protocol and permits an attacker to manipulate protocol traffic. The vulnerability does not, on its own, specify that an attacker can exfiltrate data or execute code; it only indicates that crafted requests could alter or inject protocol messages.

Every instance of Marketing Cloud Engagement running a version released before January 21 2026 is affected. The vulnerability spans all modules that expose web services endpoints within the platform, so any customer who has not yet upgraded beyond the specified release date remains vulnerable.

The CVSS score of 9.8 signals a critical threat, yet the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. An attacker presumed to have access to the exposed web services could send specially crafted requests over HTTP/HTTPS to the vulnerable modules, manipulating protocol messages as the broken cryptographic algorithm fails to verify integrity. The risk rises for publicly exposed instances or environments lacking strict input validation at the web‑services layer.