Threat actors are exploiting overly permissive guest user configurations in Salesforce Experience Cloud to mass-scan public-facing sites and extract sensitive CRM data. Using a modified version of the open-source Aura Inspector tool, attackers can query Salesforce objects without authentication when guest user profiles have excessive permissions. Salesforce clarifies this is a customer misconfiguration issue, not a platform vulnerability. ShinyHunters has claimed credit for some attacks. Salesforce recommends customers audit guest user settings, set company-wide defaults to private, disable public APIs, restrict visibility, and review event monitoring logs. Security experts note these attacks are increasing because CRMs hold large amounts of sensitive data and misconfigured third-party integrations create easy entry points.
Sort: