Threat actors are mass-scanning publicly accessible Salesforce Experience Cloud sites using a modified version of an open-source security tool, the company warned, with one group claiming to have breached “several hundred” companies.
The campaign exploits overly permissive guest user profile configurations — a setting flaw, not a platform vulnerability. Salesforce stated it has “not identified any vulnerability inherent to the Salesforce platform associated with this activity,” framing the exposure entirely as a customer misconfiguration problem.
How the Attack Works
The tool at the center of the campaign is AuraInspector, an open-source auditing utility released by Mandiant — a Google-owned firm — in January 2026. The original tool identifies misconfigured objects by probing API endpoints, specifically the /s/sfsites/aura endpoint, exposed by Experience Cloud sites.
Attackers are using a customized version that goes further. According to the announcement, this modified build can actively extract data rather than merely flag vulnerabilities, targeting sites where guest user profiles carry excessive permissions.
Experience Cloud’s guest user profile is designed to let unauthenticated visitors access public-facing content — landing pages, FAQs, knowledge articles. When misconfigured, the same profile can allow an unauthenticated user to directly query Salesforce CRM objects without credentials. Two conditions must both be present for the attack to succeed: the site uses the guest user profile, and the operator has not followed Salesforce‘s recommended configuration guidance.
Attribution and Scope
The company attributed the campaign to a known threat actor without naming the group. Screenshots posted by Dark Web Informer on X show ShinyHunters — also tracked as UNC6240 — claiming responsibility for what it called the “Salesforce Aura Campaign.” The group has a documented history of targeting Salesforce environments through third-party integrations including Salesloft and Gainsight.
More Read
Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, said his firm is “working closely with Salesforce and our customers to provide the necessary telemetry and detection rules to mitigate potential risk.”
The data harvested — names, phone numbers — feeds follow-on attacks. The firm described the pattern as part of a broader “identity-based” targeting trend, where scraped contact data fuels social engineering and voice phishing campaigns.
Salesforce issued a list of remediation steps for affected customers:
- Set Default External Access for all objects to Private
- Disable guest users’ access to public APIs
- Restrict visibility settings to prevent guest users from enumerating internal organization members
- Disable self-registration if not required
- Monitor logs for unusual queries
The company’s framing places responsibility squarely on customers who have not adhered to its published configuration guidance, a position that limits Salesforce‘s own liability while leaving operators of misconfigured sites exposed until they act.
Photo by Brett Sayles on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
