According to a recent advisory from Salesforce Security, threat actors are actively scanning public-facing Salesforce Experience Cloud sites in search of misconfigured guest user permissions.
The campaign does not exploit a vulnerability in the Salesforce platform itself. Instead, attackers are targeting environments where anonymous guest user profiles have been granted broader access than intended.
Where these misconfigurations exist, attackers may be able to query Salesforce CRM objects directly through publicly exposed endpoints and extract information without authentication.
Salesforce emphasises that the platform remains secure. However, the activity highlights a familiar challenge in modern cloud environments: the risk created by configuration complexity rather than software flaws.
How the Activity Works
The threat actor campaign identified by Salesforce involves scanning publicly accessible Experience Cloud sites using a modified version of Aura Inspector, an open-source testing tool originally developed by Mandiant.
Experience Cloud sites often allow anonymous visitors to access limited content using a shared guest user profile.
This is commonly used for:
- Customer help portals
- Public knowledge bases
- Partner portals
- Registration or onboarding pages
However, if the guest user profile has excessive permissions, attackers may be able to query internal Salesforce data through exposed API endpoints such as:
/s/sfsites/aura
According to Salesforce, the modified tooling used in this campaign allows threat actors not only to identify misconfigured objects, but also to extract data directly where access controls are too permissive.
This means the exposure is not caused by a breach of the platform itself, but by configuration decisions made within individual customer environments.
Salesforce has also published guidance on preventing common configuration mistakes, which can be accessed here.
Why This Matters
The information accessible through these misconfigurations may appear relatively benign at first glance.
Data such as:
- Names
- Phone Numbers
- Email Addresses
- Internal organisational relationships
However, attackers rarely stop at simple data collection.
Salesforce notes that harvested information is frequently used to support follow-on social engineering campaigns, including:
- targeted phishing
- voice phishing (vishing)
- impersonation attacks
In other words, even small volumes of exposed CRM data can become high-value intelligence for attackers planning further intrusion attempts.
A Broader Pattern in Cloud Security
This advisory reflects a broader trend seen across many cloud platforms.
Modern SaaS systems are typically secure by design, but they are also highly configurable. As organisations extend platforms with portals, APIs, automation and integrations, the number of access control decisions grows rapidly.
In practice, many incidents now arise not from vulnerabilities in the platform itself, but from:
- overly permissive access rules
- legacy configurations left in place
- permissions granted during development or testing
- incomplete reviews of public-facing services
Guest user access in Salesforce is simply one example of a wider category of identity and access misconfiguration risk.
Recommended Actions for Salesforce Customers
Salesforce recommends that organisations review their Experience Cloud configurations and ensure that guest user access follows the principle of least privilege.
Key steps include:
Audit guest user configurations
Review the guest user profile to ensure it is restricted to the minimum objects and fields required for the site to function.
Set org-wide defaults to “Private”
Ensure external access settings are configured so that records are private by default unless explicit sharing rules grant access.
Disable public API access for guest users
Disable public API access in site settings and remove API permissions from the guest user profile where possible.
Restrict internal user visibility
Disable settings that allow guest users to view or enumerate internal users within the organisation.
Disable self-registration where unnecessary
If your site does not require unauthenticated visitors to create accounts, disabling self-registration can reduce the risk of attackers escalating guest access.
Salesforce also recommends reviewing Event Monitoring logs for unusual activity patterns, such as unexpected spikes in queries or access to objects not intended to be public.
Detailed configuration guidance for administrators is available in Salesforce’s published security documentation, which organisations should review alongside their internal security procedures.
What Organisations Should Take Away
Incidents like this reinforce an important reality of modern cyber security.
The most significant risks are often not dramatic system compromises, but smaller gaps created through configuration decisions that evolve over time.
Platforms like Salesforce provide powerful capabilities to expose data to customers, partners and the public. But every new portal, API endpoint or access rule introduces another place where permissions must be carefully managed.
Regular configuration reviews, access audits and monitoring remain essential to ensuring that systems behave exactly as intended.
If your organisation operates Salesforce portals or other public-facing cloud services, independent penetration testing can help identify configuration weaknesses before they are discovered externally.
For any questions about how this issue could affect your organisation, please get in touch with our team.
