Salesforce has warned users of an uptick in threat actor activity targeting Experience Cloud customers’ who have accidentally enabling overly permissive guest user configurations.
Salesforce stressed that the attacks were not the result of any known flaws in its product but rather the result of misconfigurations during the setup process.
Exploitation of these misconfigurations appears to be the work of the ShinyHunters operation which, along with a loosely affiliated network of hackers, caused chaos during the summer of 2025 in a social engineering campaign. Its prior activity targeted Salesforce clients’ Data Loader application used for bulk movement of data records via voice phishing calls.
In a statement posted at the weekend, Salesforce said: “Our Cyber Security Operations Center [CSOC] has been monitoring a campaign by a known threat actor group. Evidence indicates the threat actor is leveraging a modified version of the open source tool Aura Inspector – originally developed by Mandiant – to perform mass scanning of public-facing Experience Cloud sites.
“While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose, specifically the /s/sfsites/aura endpoint, the actor has developed a custom version of the tool capable of going beyond identification to actually extract data – exploiting overly permissive guest user settings.”
The Salesforce team explained that in a publicly accessible Experience Cloud site, a visitor will share a guest user profile that typically enables them to view data that might be reasonably made public as an unauthenticated user.
The issue arises if these profiles are configured with enhanced privileges enabling a visitor – or cyber criminal – to directly query Salesforce CRM objects without having logged in. This setup is ill-advised and runs contrary to Salesforce’s suggested configuration guidance.
Mandiant confirmed it was aware of the issue and has said it is actively working with Salesforce.
Salesforce did not directly point to ShinyHunters itself, rather the group itself claimed – via The Register – that it had hit almost 400 websites and 100 tech companies, including the likes of AMD, LastPass, Okta, Snowflake and Sony, over a period of several months.
KnowBe4 lead CISO adviser Javvad Malik commented: “This is another case of simple misconfigurations wrecking havoc across organisations. We’ve seen many minor misconfigurations in cloud environments which cause data to be exposed.
“It is why a strong security culture across organisations is important, so that everyone plays their part in keeping data secure, especially when it comes to cloud services which many people often assume to be secure. All settings need to be regularly reviewed, ensuring principle of least-privilege is adhered to, and robust monitoring and alerting is put in place.”
Next steps
In its guidance, Salesforce said Experience Cloud guest users should be restricted to the absolute minimum of objects and fields needed for the public-facing site to function.
It recommended an immediate audit of guest user permissions and rigorously enforce a “least privilege” access model. Security teams should question every object permission listed and remove anything that is not obviously needed – a good place to start is to cut off everything and build permissions back from there.
Then, default external access to all objects should then be set to private across the organisation, and this should be verified and confirmed.
Following that, guest users will need to be blocked from accessing public application programming interfaces (APIs) to close off the Aura endpoint to unauthenticated queries. Security teams should also lock down portal and site user visibility settings to stop guests from enumerating insiders. Finally, should your site not require unauthenticated visitors to create their own accounts, disable self-registration.
Salesforce also recommends security teams review event monitoring logs related to Aura, looking for strange access patterns, queries targeting private objects, traffic from unusual IP ranges and so on. Salesforce Support is on hand to advise should you suspect compromise, and more detailed guidance is available via the linked advisory notice.
