Salesforce has issued a security alert detailing a significant increase in threat actor activity targeting misconfigured, publicly accessible Experience Cloud sites. The attackers are utilizing a customized version of an open-source security tool named AuraInspector to perform mass scanning and data extraction. According to Salesforce, this campaign specifically exploits customers' overly permissive guest user profile configurations within Experience Cloud, allowing unauthorized access to sensitive data without authentication. The company emphasized that this activity does not stem from a vulnerability within the Salesforce platform itself but is a direct result of customers not adhering to recommended configuration and security hardening guidelines for guest user access.
The core of the attack leverages a modified version of AuraInspector, a tool originally released by Google-owned Mandiant in January 2026. The legitimate tool is designed to help security professionals audit and identify access control misconfigurations within the Salesforce Aura framework by probing exposed API endpoints. However, threat actors have developed a custom variant that extends beyond mere identification. This malicious version can actively exploit misconfigurations to extract data from Salesforce Customer Relationship Management (CRM) objects. The attack targets the `/s/sfsites/aura` endpoint on public-facing sites, which is intended for guest access to content like landing pages and knowledge articles.
For the attack to be successful, two critical misconfiguration conditions must be present on an Experience Cloud site. First, the site must be utilizing the guest user profile feature to allow unauthenticated public access. Second, and most crucially, this guest profile must have been configured with excessive object and field-level permissions, deviating from Salesforce's principle of least privilege. When these conditions align, an attacker can use the tool to directly query and exfiltrate data—such as customer records, internal documents, or product information—without needing any login credentials. This represents a severe data exposure risk stemming from configuration errors rather than a software flaw.
Salesforce's advisory underscores a persistent challenge in cloud security: the shared responsibility model. While Salesforce maintains the security *of* the cloud platform, customers are responsible for security *in* the cloud, which includes proper configuration of their services. The company has reiterated its configuration guidance, urging all Experience Cloud customers to immediately review and audit their guest user profiles. Recommended actions include enforcing the principle of least privilege, removing unnecessary object and field permissions, and ensuring that guest access is strictly limited to intended public content. Organizations are advised to treat this mass-scanning activity as a clear indicator that automated tools are actively hunting for such misconfigurations across the internet.
