SALESFORCE has warned of increased threat actor activity aimed at misconfigurations in publicly accessible Experience Cloud sites, using a customised version of an open-source tool called AuraInspector to mass-scan public-facing sites. The activity exploits customers’ overly permissive Experience Cloud guest user configurations to access sensitive data, with evidence that the threat actor’s modified AuraInspector can go beyond identification to actually extract data from the /s/sfsites/aura endpoint.
AuraInspector was released by Google-owned Mandiant in January 2026, and the public Salesforce sites use a guest user profile that can grant unauthenticated access to landing pages, FAQs and knowledge articles if misconfigured. At this time Salesforce says there is no inherent Salesforce platform vulnerability, and these attempts appear to focus on customer configuration settings rather than a platform flaw.
The company notes the campaign may be the work of a known threat actor group, possibly ShinyHunters (aka UNC6240). Salesforce recommends reviewing Experience Cloud guest user settings, tightening object access, disabling guest API access and monitoring logs for unusual queries.