Threat actors use custom AuraInspector to harvest data from Salesforce systems
March 10, 2026 
Attackers are mass-scanning Salesforce Experience Cloud sites using a modified AuraInspector tool to exploit misconfigurations and access sensitive data.
Salesforce CSOC warns that threat actors are mass-scanning publicly accessible Experience Cloud sites using a modified version of the AuraInspector tool.
AuraInspector is an open‑source command‑line tool released by Google/Mandiant to audit Salesforce Aura and Experience Cloud applications for data exposure risks. It simulates an unauthenticated or guest user and automatically discovers Aura endpoints, then tests them for access‑control misconfigurations that might expose sensitive records (e.g., Accounts, Contacts, Leads) via Aura methods, record lists, or GraphQL controllers.
The campaign targets misconfigured guest user settings that are overly permissive, allowing attackers to access sensitive data from exposed environments.
“Evidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to perform mass scanning of public-facing Experience Cloud sites.” reads the report published by Salesforce. “While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings. “
Misconfigured sites risk exposing CRM data, which can then be used for targeted social engineering or vishing attacks.
The company said the activity does not involve a platform vulnerability but exploits customer misconfigurations. Organizations are urged to review and secure Experience Cloud guest user settings to reduce exposure.
“At this time, we have not identified any vulnerability inherent to the Salesforce platform associated with this activity. These attempts are focused on customer configuration settings that, if not properly secured, may increase exposure.” reads the security advisory. “We encourage customers to review their Experience Cloud guest user settings and take immediate recommended actions. For additional details and steps to help protect your org, please see our blog: https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/“
Salesforce attributes the campaign to a known threat actor group, possibly ShinyHunters, known for targeting Salesforce environments through third-party apps. The company urges customers to secure Experience Cloud guest settings, restrict public access, disable unnecessary APIs, and monitor logs.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, newsletter)
