Salesforce Compromise: What You Need to Know

the exploit blog logo
Penetration Testing Blog
Salesforce Compromise: What You Need to Know
Posted on October 15, 2025
Written by Jason Taylor

You’ve likely seen the news about the FBI seizing a portal used for widespread Salesforce attacks last week. The possibility for compromise does not end there, though.

The FBI has released multiple Indicators of Compromise (IoC’s) to assist organizations in determining if their Salesforce platform has been compromised. Threat actors designated as UNC6040 and UNC6395 have been using various methods to obtain initial access, including vishing and phishing attacks against organization help desks, and compromised authentication tokens from breached Salesforce integrated applications.

Check out the FBI FLASH notification for IP addresses and URL’s associated with these two threat actors for detailed information. It is strongly recommended that organizations check their environment for systems accessing these IoC’s and investigate appropriately.

If you use the low code solutions in Salesforce and find yourself with a complex organization and permission structure, consider having Raxis perform a Salesforce security audit on your organization to ensure you are staying up on the latest security recommendations.

Jason Taylor

Jason Taylor
Jason has a passion for asking “what-if” questions and for trying to “break” software and test how it responds to unintended uses. Jason has a background in System Administration and Security Engineering in the financial sector. He holds both defensive and offensive certifications including OSCP, PNPT, GCIH, CASP+, and is Splunk Certified. When he’s not spending his time taking new training courses, he loves spending time with his wife and kids and occasionally working on an IoT project to automate some aspect of their greenhouse or chicken coop.

About The Exploit Blog

The Exploit is written by Raxis penetration testers. Every post is a technical writeup from someone who runs engagements for a living, with code, command output, and the reasoning behind each step. Topics include exploit research, vulnerability disclosure, tool development, and the offensive techniques showing up in current client work.

Search The Exploit Blog

Raxis Discovered Vulnerabilities

View the CVEs and bugs that Raxis pentesters have uncovered and submitted.

Tested by the People Who Wrote This Blog Post

The engineers behind these posts run real engagements every week. Put them on your network, web apps, APIs, or cloud and see what an attacker would find first.

Request A Quote Schedule Call

Blog Categories

Join Our Newsletter

Name(Required)
Newsletter(Required)
Do you wish to join our newsletter? We send out emails once a month that cover the latest in cybersecurity news. We do not sell your information to other parties.