Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool
Summary:
The threat group known as ShinyHunters has explicitly claimed to be actively exploiting misconfigured Salesforce Experience Cloud deployments to conduct large-scale data exfiltration operations. Targeting the Salesforce Aura framework, attackers are querying misconfigured "guest user profiles" that inadvertently expose sensitive Customer Relationship Management (CRM) data to anonymous, unauthenticated visitors. While Salesforce maintains that this activity exploits customer-side configuration errors rather than a native platform vulnerability, ShinyHunters claims to have compromised between 300 and 400 organizations, with a significant number operating in the cybersecurity sector. This campaign highlights a persistent risk regarding default access controls in highly adopted SaaS environments, where subtle permission misconfigurations can be rapidly weaponized by threat actors utilizing automated reconnaissance and tailored data exfiltration tools.
Security Officer Comments:
The campaign centers on exploiting publicly exposed Salesforce Experience sites that allow a guest user profile to interact with the /s/sfsites/aura API endpoint. Under normal circumstances, this profile provides unauthenticated visitors with access to public data. However, when misconfigured with excessive permissions, threat actors can directly query internal Salesforce CRM objects without requiring authentication. In September 2025, ShinyHunters began scanning the internet for the /s/sfsites/ endpoint to identify vulnerable instances. Initially limited to retrieving 2,000 records per query via the GraphQL API, the threat actors successfully bypassed this rate limitation by manipulating the sortBy parameter.
To operationalize their reconnaissance, ShinyHunters modified AuraInspector, an open-source auditing tool originally released by Mandiant in January to help administrators identify access control flaws. This custom variant allowed the attackers to automate mass vulnerability scanning across potential targets. Following successful identification, the group utilized a custom data exfiltration tool, which originally broadcasted a distinct user agent. Following a patch by Salesforce that fixed the sortBy bypass trick, ShinyHunters claimed to have discovered an additional exploit method: to bypass the 2,000 record query restriction. They made an additional claim that they discovered a vulnerability that allows data theft from Aura instances even when they are properly configured, but Salesforce continues to state that there is no vulnerability in its platform.
Suggested Corrections:
Actionable Suggested Correctionss
https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/
https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/
The threat group known as ShinyHunters has explicitly claimed to be actively exploiting misconfigured Salesforce Experience Cloud deployments to conduct large-scale data exfiltration operations. Targeting the Salesforce Aura framework, attackers are querying misconfigured "guest user profiles" that inadvertently expose sensitive Customer Relationship Management (CRM) data to anonymous, unauthenticated visitors. While Salesforce maintains that this activity exploits customer-side configuration errors rather than a native platform vulnerability, ShinyHunters claims to have compromised between 300 and 400 organizations, with a significant number operating in the cybersecurity sector. This campaign highlights a persistent risk regarding default access controls in highly adopted SaaS environments, where subtle permission misconfigurations can be rapidly weaponized by threat actors utilizing automated reconnaissance and tailored data exfiltration tools.
Security Officer Comments:
The campaign centers on exploiting publicly exposed Salesforce Experience sites that allow a guest user profile to interact with the /s/sfsites/aura API endpoint. Under normal circumstances, this profile provides unauthenticated visitors with access to public data. However, when misconfigured with excessive permissions, threat actors can directly query internal Salesforce CRM objects without requiring authentication. In September 2025, ShinyHunters began scanning the internet for the /s/sfsites/ endpoint to identify vulnerable instances. Initially limited to retrieving 2,000 records per query via the GraphQL API, the threat actors successfully bypassed this rate limitation by manipulating the sortBy parameter.
To operationalize their reconnaissance, ShinyHunters modified AuraInspector, an open-source auditing tool originally released by Mandiant in January to help administrators identify access control flaws. This custom variant allowed the attackers to automate mass vulnerability scanning across potential targets. Following successful identification, the group utilized a custom data exfiltration tool, which originally broadcasted a distinct user agent. Following a patch by Salesforce that fixed the sortBy bypass trick, ShinyHunters claimed to have discovered an additional exploit method: to bypass the 2,000 record query restriction. They made an additional claim that they discovered a vulnerability that allows data theft from Aura instances even when they are properly configured, but Salesforce continues to state that there is no vulnerability in its platform.
Suggested Corrections:
Actionable Suggested Correctionss
- Disable Public API Access: The highest-impact change is to disable guest access to public APIs and remove the "API Enabled" setting from the guest profile.
- Audit and Restrict Guest Permissions: Immediately audit guest user permissions and reduce them to the absolute minimum required for business functions.
- Modify Org-Wide Defaults: Set organization-wide defaults to "Private" for all external access.
- Disable Visibility Settings: Turn off "Portal User Visibility" and "Site User Visibility" to prevent guest users from enumerating internal users.
- Disable Self-Registration: Turn off self-registration unless strictly necessary, as exposed guest data could be abused to create portal accounts and escalate privileges.
- Disable Public Access (Nuclear Option): Completely disabling "Public Access" to an instance will stop the attacks, though this will turn the website into a private portal and break intended public functionality.
- Monitor Aura Event Logs: Actively review Aura Event Monitoring logs for unusual access patterns, unfamiliar IP addresses, or unexpected queries against CRM objects that should remain private.
- Principle of Least Privilege: Enforce strict least privilege access controls across all SaaS applications and guest profiles.
- Continuous Security Auditing: Regularly audit exposed API endpoints and third-party integrations to ensure configurations have not drifted into a vulnerable state.
- Designate a Security Contact: Ensure a designated security contact is registered within the Salesforce platform so the organization can be notified rapidly in the event of detected anomalies.
https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/
https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/