Salesforce has issued a warning about increased threat actor activity targeting publicly accessible Experience Cloud environments through large scale scanning operations. According to the company, attackers are attempting to exploit configuration weaknesses by using a modified version of an open source security auditing tool known as AuraInspector. The activity is focused on identifying and taking advantage of Experience Cloud deployments where guest user settings are configured with excessive permissions, potentially allowing unauthorized access to sensitive organizational data.
Salesforce said available evidence indicates that attackers are using a customized variant of AuraInspector to perform automated scans across public facing Experience Cloud websites. The original AuraInspector tool was created to assist security teams in identifying and auditing access control misconfigurations within the Salesforce Aura framework. It works by probing application programming interface endpoints that these websites expose, particularly the endpoint located at /s/sfsites/aura, which can reveal objects that might be accessible due to configuration weaknesses. However, the threat actors behind the current campaign appear to have modified the tool to extend its capabilities. Instead of only detecting vulnerable objects, the customized version is reportedly capable of extracting data directly from affected environments by abusing overly permissive guest user settings configured by some customers. Salesforce explained that these attacks rely on publicly accessible Experience Cloud sites where guest user profiles allow unauthenticated access to certain resources such as landing pages, frequently asked questions, and knowledge base articles. While these profiles are designed to allow limited public interaction, misconfigurations that grant additional privileges could unintentionally expose other internal data structures.
The open source AuraInspector tool itself was released in January 2026 by cybersecurity firm Mandiant, which is owned by Google. It was developed as a resource for security teams seeking to audit Salesforce deployments and identify configuration errors that might allow unauthorized access to data through the Aura framework. When misconfigured permissions exist, attackers can exploit those settings to query Salesforce customer relationship management objects without needing to authenticate into the system. Salesforce clarified that for such attacks to succeed, two specific conditions must exist within the targeted environments. Organizations must be using the guest user profile associated with Experience Cloud sites and must not have followed the company’s recommended configuration guidelines that limit external access. The company emphasized that it has not identified any inherent vulnerability within the Salesforce platform itself that would allow this activity to occur automatically. Instead, the risk stems from how certain customer environments may be configured. In cases where excessive permissions are granted to guest profiles, unauthenticated users may gain visibility into data that should normally remain restricted.
While Salesforce did not publicly identify the threat group behind the campaign, it stated that the activity has been linked to a known actor group. Security observers believe it may be associated with ShinyHunters, also known as UNC6240, which has previously targeted Salesforce environments through third party integrations including Salesloft and Gainsight. As part of its response, Salesforce has advised customers to review and tighten configuration settings related to Experience Cloud guest users. The company recommends setting Default External Access for all objects to Private, restricting guest user access to public APIs, limiting visibility settings that could allow enumeration of internal organization members, and disabling self registration features if they are not required. Customers are also encouraged to monitor system logs for unusual queries or abnormal access patterns that may indicate scanning activity. Salesforce noted that the campaign reflects a broader shift in cyber activity toward identity based targeting strategies. Information collected through automated scans, including names and phone numbers, can later be used by attackers to launch targeted social engineering campaigns and voice phishing operations designed to manipulate employees or customers into revealing additional information or granting further access.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
