Salesforce Warns of Mass-Scanning Campaign Targeting Experience Cloud Misconfigurations

Salesforce has issued a security alert about a significant increase in threat actor activity targeting publicly accessible Experience Cloud sites through the exploitation of misconfigured guest user settings. The campaign involves the use of a customized version of the open-source AuraInspector tool to perform mass scanning and data extraction operations.

Modified AuraInspector Tool Enables Data Extraction

The threat actors are leveraging a modified version of AuraInspector, originally designed by Mandiant (now part of Google) as an open-source tool for identifying access control misconfigurations within the Salesforce Aura framework. While the original tool was limited to identifying vulnerable objects by probing API endpoints, the attackers have enhanced it to actually extract data from overly permissive guest user configurations.

According to Salesforce, the modified tool goes beyond simple identification to actively exploit misconfigurations. The attackers are specifically targeting the /s/sfsites/aura endpoint that public-facing Experience Cloud sites expose, using it to query Salesforce CRM objects without authentication.

How the Attack Works

Salesforce Experience Cloud sites use a dedicated guest user profile that allows unauthenticated users to access public content like landing pages, FAQs, and knowledge articles. However, when this profile is misconfigured with excessive permissions, it can inadvertently grant unauthenticated users access to sensitive data.

For this attack to succeed, two conditions must be met: the Experience Cloud customer must be using the guest user profile, and they must not have followed Salesforce's recommended configuration guidance. The attackers exploit these misconfigurations to directly query CRM objects without needing to log in.

Attribution and Broader Context

Salesforce attributed the campaign to a known threat actor group but did not disclose the specific name. However, the description and targeting patterns suggest it could be the work of ShinyHunters (also known as UNC6240), a group with a documented history of targeting Salesforce environments through third-party applications from companies like Salesloft and Gainsight.

Salesforce emphasized that this activity does not exploit any inherent vulnerability in the Salesforce platform itself. Instead, it focuses on customer configuration settings that, if not properly secured, increase exposure to data harvesting attempts.

Recommended Security Measures

To protect against this threat, Salesforce recommends several critical security measures:

• Review Experience Cloud guest user settings and ensure the Default External Access for all objects is set to Private
• Disable guest users' access to public APIs
• Restrict visibility settings to prevent guest users from enumerating internal organization members
• Disable self-registration if not required for business operations
• Monitor logs for unusual queries that could indicate scanning activity

Identity-Based Targeting Trend

The company noted that this threat actor activity reflects a broader trend of "identity-based" targeting in cybersecurity. Data harvested through these scans, such as names and phone numbers, is often used to build follow-on targeted social engineering and "vishing" (voice phishing) campaigns.

This campaign highlights the critical importance of proper configuration management in cloud environments, particularly for publicly accessible services. Even when platforms are secure by design, misconfigurations can create significant attack surfaces that sophisticated threat actors are quick to exploit.

For organizations using Salesforce Experience Cloud, conducting a thorough audit of guest user permissions and API access controls should be considered a high priority security task. The combination of automated scanning tools and targeted social engineering makes this a particularly dangerous threat pattern that requires both technical and procedural defenses.