Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access

Recently, Salesforce Security has been tracking an increase in threat actor activity targeting misconfigurations of publicly accessible sites. Specifically, we have identified a campaign in which malicious actors are exploiting customers’ overly permissive Experience Cloud guest user configurations to potentially access more data than targeted organizations intended.

It is important to note that Salesforce remains secure, and this issue is not due to any vulnerability inherent to our platform. Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw. We are publishing this guidance to help our customers assess and take appropriate action to secure their environment.

About the Threat Actor Activity

Our Cyber Security Operations Center (CSOC) has been monitoring a campaign by a known threat actor group.

Evidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to perform mass scanning of public-facing Experience Cloud sites. While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings. 

In a publicly accessible Salesforce Experience site, anonymous visitors share a “guest user profile.” If this profile is misconfigured with excessive permissions, a threat actor can directly query Salesforce CRM objects without logging in. 

This activity reflects a broader trend of “identity-based” targeting. Data harvested in these scans, such as names and phone numbers—is often used to build follow-on targeted social engineering and “vishing” (voice phishing) campaigns.

Recommended Immediate Actions for Customers

Security is a shared responsibility that requires multiple layers of defense. Our detections are designed to complement our customers’ configuration hygiene and proactive security practices. While Salesforce has enhanced its anomaly detection capabilities and continues to invest in advanced measures to help protect our customers in response to a rapidly evolving threat landscape, there are also immediate actions to improve security posture that customers should take – starting with an audit of guest user permissions and enforcing a “Least Privilege” access model an effective defense for your data.

We further recommend: 

1. Audit Guest User Configurations: Review your guest user profile to ensure it is restricted to the absolute minimum objects and fields required for your site to function. 

Implementation steps: Navigate to Setup > All Sites > [Your Site] > Builder > Settings > General > Guest User Profile. For every object permission listed, ask whether an unauthenticated site visitor genuinely requires access to those records. Remove anything that is not clearly required. Start from zero access and restore only what tested functionality requires.

2. Set Org Wide Defaults to “Private”: In Sharing Settings, ensure the Default External Access for all objects is set to Private. 

Implementation steps: In Setup > Sharing Settings, confirm that org-wide defaults for all objects are set to Private for external users and that Secure guest user record access is enabled. Guest users cannot access any record unless you have explicitly created a sharing rule granting access.

3. Disable Public APIs: Uncheck “Allow guest users to access public APIs” in your site settings and uncheck “API Enabled” in the guest user profile’s System Permissions. 

Implementation steps: In your site settings, disable Allow guest users to access public APIs. In the guest user profile’s System Permissions, uncheck API Enabled. This is the highest-impact single change you can make. It closes the Aura endpoint to unauthenticated API queries, which is the exact vector used in this campaign.

4. Restrict Visibility: Uncheck “Portal User Visibility” and “Site User Visibility” in Sharing Settings to prevent guest users from enumerating internal org members. 

Implementation steps: In Sharing Settings, uncheck Portal User Visibility and Site User Visibility to prevent guest users from enumerating internal org members.

5. Disable Self-Registration if Not Required: If your site does not require unauthenticated visitors to create their own accounts, disable self-registration. Data exposed through guest user misconfigurations can be used to self-register portal accounts, escalating a guest-tier exposure into an authenticated session with broader data access.

Implementation steps: Navigate to Setup > All Sites > [Your Site] > Workspaces > Administration > Login & Registration and remove the self-registration page assignment. If self-registration is required for your site to function, ensure the registration handler runs with sharing, assigns the most restrictive profile available, and requires email verification before the account is activated.

Ongoing Investigation and Monitoring:

• Review Event Monitoring Logs:
  • In addition to checking for unusual query volumes, review your Aura Event Monitoring logs for anomalous access patterns — such as queries targeting objects not intended to be public, unexpected spikes from unfamiliar IP addresses, or access outside normal business hours.  If you suspect your environment may have been affected, contact Salesforce Support and complete the guest user audit steps outlined above rather than relying on log volume alone.
• Add a Security Contact: Ensure your org has a designated Security Contact so our team can reach the right person immediately if suspicious activity is detected.

Salesforce’s Commitment to Trust

If Salesforce becomes aware of unauthorized access to customer data, we notify impacted customers without undue delay. Our teams work around the clock to share information with the threat intelligence community to help ensure our customer’s security. Public Security Advisories are available on our Trust site.

While our platform remains resilient, maintaining a secure environment is a shared responsibility that requires consistent, coordinated action. For more resources and the latest step-by-step guides, visit our Security Best Practices.