Large-Scale Scanning Campaign Targets Salesforce Experience Cloud Environments

-



Security researchers have recently detected widespread scanning activity aimed at Salesforce Experience Cloud websites. The campaign appears to focus on identifying platforms that may have been improperly configured, potentially allowing attackers to access sensitive data without authentication.

The activity involves automated tools that search across numerous Experience Cloud portals to locate systems where public access permissions have been set too broadly. Once these environments are identified, attackers attempt to extract information that should normally remain protected within the organization’s customer relationship management system.

Misconfigured Public Access as the Main Risk

Experience Cloud portals are often designed to allow certain content to be accessible to visitors through a guest user account. This feature is commonly used to provide access to public information such as knowledge bases, customer support documentation, or community pages.

However, if the guest account permissions are not carefully restricted, the configuration may unintentionally expose internal data stored in Salesforce objects. In such cases, unauthorized users may be able to interact with backend APIs and retrieve information without logging in.

Automated Tools Used for Reconnaissance

The scanning campaign relies on tools capable of identifying Experience Cloud environments and testing them for weak access controls. Some of these tools are based on software originally developed for legitimate security auditing purposes but have been adapted to automate the discovery of exposed systems.

Once a misconfigured environment is found, the tool can query Salesforce endpoints and attempt to gather available data. This allows attackers to perform reconnaissance across a large number of targets in a relatively short period of time.

Possible Security Impact

If sensitive data becomes accessible through these misconfigurations, attackers may be able to collect information such as customer details, organizational contacts, or internal metadata from CRM systems.

Security experts warn that this information could later be used in targeted attacks, including phishing or other social engineering techniques designed to impersonate trusted individuals within an organization.

Preventive Measures for Organizations

The issue does not originate from a vulnerability in Salesforce itself but from incorrectly configured access permissions within Experience Cloud deployments. Organizations using this platform are advised to carefully review their guest user privileges and ensure that public users cannot access sensitive objects or API endpoints.

Implementing stricter access controls, auditing configuration settings regularly, and monitoring logs for suspicious queries are important steps in reducing the risk of unauthorized data exposure.

The campaign highlights how even small configuration mistakes in cloud platforms can create opportunities for attackers when they are discovered and exploited at scale.

Resource

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more