Salesforce has warned of increased activity by threat actors aiming to exploit misconfigurations in publicly accessible Experience Cloud sites using a customized version of an open source tool called AuraInspector.
According to the company, this activity involves exploiting customers’ overly permissive Experience Cloud guest user settings to access sensitive data.
“Evidence shows threat actors are leveraging a modified version of the open source tool AuraInspector […] “To perform bulk scans of publicly available Experience Cloud sites,” Salesforce said.
“While the original AuraInspector was limited to identifying vulnerable objects by inspecting the API endpoints exposed by these sites (specifically the /s/sfsites/aura endpoint), attackers developed a custom version of the tool that could go beyond identification and actually extract data by exploiting overly permissive guest user settings.”
AuraInspector refers to an open source tool designed to help security teams identify and audit access control misconfigurations within the Salesforce Aura framework. Released by Mandiant, a Google company, in January 2026.
Publicly accessible Salesforce sites use a dedicated guest user profile that allows unauthenticated users to access landing pages, FAQs, and knowledge articles. However, if this profile is incorrectly configured with excessive privileges, it may allow unauthenticated users to access more data than intended.
As a result, an attacker could exploit this security weakness to directly query Salesforce CRM objects without being logged in. For this attack to work, Experience Cloud customers must meet two conditions. It’s using a guest user profile and not following Salesforce’s recommended configuration guidance.
Salesforce said, “At this time, we are not aware of any Salesforce platform-specific vulnerabilities associated with this activity.” “These attempts focus on customer configuration settings, which can be at risk if not properly secured.”
The company attributed the campaign to a known threat actor group without naming them, raising the possibility that it was the work of ShinyHunters (also known as UNC6240), which has a history of targeting Salesforce environments through Salesloft and Gainsight third-party applications.
Salesforce recommends that customers review their Experience Cloud guest user settings, ensure that default external access for all objects is set to private, disable guest user access to public APIs, restrict visibility to prevent guest users from enumerating internal members of their organization, disable self-registration when not required, and monitor logs for unusual queries.
“This threat actor’s activity reflects a broader trend of ‘identity-based’ targeting,” it added. “Data collected during these scans, such as names and phone numbers, is often used to build subsequent targeted social engineering and ‘vishing’ (voice phishing) campaigns.”
Source link
