Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool
Source: The Hacker News
Overview
Salesforce has warned of an increase in threat‑actor activity aimed at exploiting misconfigurations in publicly accessible Experience Cloud sites. The actors are using a customized version of the open‑source tool AuraInspector to mass‑scan these sites and extract data from overly permissive guest‑user configurations.
“Evidence indicates the threat actor is leveraging a modified version of the open‑source tool AuraInspector … to perform mass scanning of public‑facing Experience Cloud sites,” Salesforce said.
While the original AuraInspector is limited to identifying vulnerable objects by probing the /s/sfsites/aura API endpoint, the modified tool can go beyond identification and actually extract data, exploiting permissive guest‑user settings.
AuraInspector
AuraInspector is an open‑source audit tool designed to help security teams identify and audit access‑control misconfigurations within the Salesforce Aura framework. It was released by Google‑owned Mandiant in January 2026.
Impact on Experience Cloud
Publicly accessible Salesforce sites use a dedicated guest‑user profile that allows unauthenticated users to view landing pages, FAQs, and knowledge articles. If this profile is misconfigured with excessive permissions, unauthenticated users can gain access to additional data, including the ability to query Salesforce CRM objects directly.
For the attack to succeed, Experience Cloud customers must:
- Use the guest‑user profile.
- Have not applied Salesforce’s recommended configuration guidance (e.g., default external access set to Private).
Salesforce clarified that no inherent platform vulnerability has been identified; the attempts focus on insecure customer configuration settings.
Threat Actor Attribution
Salesforce attributed the campaign to a known threat‑actor group, though the name was not disclosed. The activity may be linked to ShinyHunters (aka UNC‑6240), which has previously targeted Salesforce environments via third‑party applications such as Salesloft and Gainsight.
Recommendations
Salesforce advises customers to:
- Review Experience Cloud guest‑user settings.
- Ensure Default External Access for all objects is set to Private.
- Disable guest‑user access to public APIs.
- Restrict visibility settings to prevent enumeration of internal organization members.
- Disable self‑registration if it is not required.
- Monitor logs for unusual queries.
“This threat‑actor activity reflects a broader trend of ‘identity‑based’ targeting. Data harvested in these scans—such as names and phone numbers—is often used to build follow‑on targeted social‑engineering and ‘vishing’ (voice‑phishing) campaigns,” Salesforce added.