Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool

Salesforce has warned that threat actors are becoming more active and are using a modified version of an open-source tool called AuraInspector to take advantage of misconfigured Experience Cloud sites that are open to the public This article explores aurainspector open source. . According to the company, the activity involves taking advantage of customers' overly open Experience Cloud guest user settings to get to private information.

Salesforce said, "Evidence shows that the threat actor is using a modified version of the open-source tool AuraInspector [...] to scan a lot of public-facing Experience Cloud sites."

"The original AuraInspector could only find vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint). However, the actor has made a custom version of the tool that can do more than just find things; it can also extract data by taking advantage of guest user settings that are too open. "AuraInspector is an open-source tool that helps security teams find and fix access control problems in the Salesforce Aura framework.

Mandiant, which is owned by Google, put it out in January 2026. Salesforce sites that are open to the public have a special guest user profile that lets anyone who isn't logged in see landing pages, FAQs, and knowledge articles. But if this profile is set up wrong and gives too many permissions, it could let users who aren't logged in see more data than they should.

Because of this, an attacker could use this security hole to directly query Salesforce CRM objects without logging in. Experience Cloud customers must meet two requirements for this attack to work: they must be using the guest user profile and not following Salesforce's recommended configuration advice. Salesforce said, "At this time, we have not found any security flaws in the Salesforce platform that are related to this activity."

"These attempts are focused on customer configuration settings that, if not properly secured, may increase exposure." The company said the campaign was done by a known threat actor group but didn't give its name. This makes it possible that it was done by ShinyHunters (also known as UNC6240), which has a history of using third-party apps from Salesloft and Gainsight to attack Salesforce environments.

Salesforce suggests that customers check their Experience Cloud guest user settings, make sure that the Default External Access for all objects is set to Private, turn off guest users' access to public APIs, limit visibility settings so that guest users can't see internal organization members, turn off self-registration if it's not needed, and keep an eye on logs for strange queries. "It added, "This threat actor activity is part of a larger trend of 'identity-based' targeting."

"Data collected during these scans, including names and phone numbers, is frequently utilized to develop subsequent targeted social engineering and 'vishing' (voice phishing) campaigns."