Treat Actors Mass-Scan Salesforce Experience Cloud with Modified AuraInspector Tool
Salesforce has warned of increased activity by malicious actors aiming to exploit misconfigurations on publicly accessible Experience Cloud sites by using a customized version of an open source tool called AuraInspector.
The work, according to each company, involves exploiting customers who over-enable the user settings of the Experience Cloud guest to gain access to sensitive data.
“Evidence shows that the threat actor is using a modified version of the open source tool AuraInspector. […] to perform multiple scans of public-facing Experience Cloud sites,” Salesforce said.
“While the original AuraInspector was limited to identifying vulnerabilities by inspecting the API endpoints exposed by these sites (mainly the /s/sfsites/aura endpoint), the actor developed a custom version of the tool that can bypass identification to actually extract data – using settings that allow the guest user.”
AuraInspector refers to an open source tool designed to help security teams identify and test access control misconfigurations within the Salesforce Aura framework. Released by Google-owned Mandiant in January 2026.
Publicly accessible Salesforce sites use a dedicated guest user profile that allows an unauthorized user to access landing pages, FAQs, and knowledge articles. However, if this profile is not properly configured with excessive permissions, it may give unauthorized users access to more data than intended.
As a result, an attacker can use this security weakness to directly query Salesforce CRM objects without logging in. For this attack to work, two conditions must be satisfied for Experience Cloud customers: they are using a guest user profile and they have not complied with Salesforce’s recommended configuration guidelines.
“At this time, we have not identified any vulnerabilities in the Salesforce platform associated with this transaction,” Salesforce said. “These efforts focus on customer configuration settings that, if not properly secured, can increase exposure.”
The company revealed that the campaign was created by a known group of threat actors without naming them, suggesting that it may be the work of ShinyHunters (aka UNC6240), which has a history of targeting Salesforce sites using third-party applications from Salesforce and Gainsight.
Salesforce recommends customers review their Experience Cloud guest user settings, ensure that Default External Access for all objects is set to Private, disable guest user access to public APIs, limit visibility settings to prevent guest users from enumerating internal organization members, disable self-registration if not required, and monitor logs for unusual queries.
“This activity by threat actors reflects a broader trend of ‘identity concentration’,” it added. “The data collected from these scans – such as names and phone numbers – is often used to create targeted social engineering and ‘voice phishing’ campaigns.”
