Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool  Ravie Lakshmanan  Mar 10, 2026 Cloud Security / API Security Salesforce has warned of an increase in threat actor activity that's aimed at exploiting misconfigurations in publicly accessible Experience Cloud sites by making use of a customized version of an open-source tool called AuraInspector. The activity, per the company, involves the exploitation of customers' overly permissive Experience Cloud guest user configurations to obtain access to sensitive data. "Evidence indicates the threat actor is leveraging a modified version of the open-source tool AuraInspector [...] to perform mass scanning of public-facing Experience Cloud sites," Salesforce said . "While the original AuraInspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings." AuraInspector refers to an open-source tool designed to help security teams identify and audit access control misconfigurations within the Salesforce Aura framework. It was released by Google-owned Mandiant in January 2026. Publicly accessible Salesforce sites use a dedicated guest user profile that enables an unauthenticated user to access landing pages, FAQs, and knowledge articles. However, if this profile is misconfigured with excessive permissions, it can potentially grant unauthenticated users access to more data than intended. As a result, an attacker could exploit this security weakness to directly query Salesforce CRM objects without logging in. For this attack to work, two conditions have to be satisfied by Experience Cloud customers: they are using the guest user profile and have not adhered to Salesforce's recommended configuration guidance. "At this time, we have not identified any vulnerability inherent to the Salesforce platform associated with this activity," Salesforce said . "These attempts are focused on customer configuration settings that, if not properly secured, may increase exposure." The company attributed the campaign to a known threat actor group without taking its name, raising the possibility that it could be the work of ShinyHunters (aka UNC6240), which has a history of targeting Salesforce environments via third-party applications from Salesloft and Gainsight . Salesforce is recommending customers review their Experience Cloud guest user settings, ensure the Default External Access for all objects is set to Private, disable guest users' access to public APIs, restrict visibility settings to prevent guest users from enumerating internal organization members, disable self-registration if not required, and monitor logs for unusual queries. "This threat actor activity reflects a broader trend of ' identity-based ' targeting," it added. "Data harvested in these scans, such as names and phone numbers – is often used to build follow-on targeted social engineering and 'vishing' (voice phishing) campaigns." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  API Security , Cloud security , CRM Security , cybersecurity , Identity Security , Salesforce , social engineering Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps