143/69 Thursday, March 12, 2026
The security team of Salesforce (CSOC) has warned that threat actors are actively scanning publicly accessible Salesforce Experience Cloud websites using a modified version of AuraInspector to identify and extract sensitive data. The original AuraInspector is an open-source tool developed by Google and Mandiant to audit Salesforce Aura and Experience Cloud applications for potential data exposure risks. It simulates access as a guest user to detect misconfigured access controls that could unintentionally expose sensitive records such as Accounts, Contacts, or Leads through APIs or Aura endpoints.
According to the report, attackers have developed a customized version of the tool capable of going beyond vulnerability discovery to actively extract data from vulnerable systems. The tool specifically targets the /s/sfsites/aura endpoint, which may allow unauthorized data access when guest user permissions are misconfigured or overly permissive. As a result, sensitive information stored within CRM systems could be accessed without authorization and potentially used in subsequent attacks such as social engineering or voice phishing (vishing).
Salesforce emphasized that the issue does not stem from a vulnerability in the platform itself, but rather from insecure configuration by customers. Nevertheless, the company recommends that organizations using Experience Cloud urgently review Guest User Access settings, restrict public access where possible, disable unnecessary APIs, and closely monitor system activity. Salesforce also noted that the campaign may be linked to cybercriminal groups previously associated with attacks targeting Salesforce environments, including ShinyHunters.