Key Findings

• Threat actors are mass-scanning publicly accessible Salesforce Experience Cloud sites using a modified version of the open-source AuraInspector tool.

• The modified tool is capable of extracting data by exploiting overly permissive guest user settings, allowing access to sensitive CRM data.

• The activity does not involve a vulnerability in the Salesforce platform but targets customer configuration issues.

• The campaign is attributed to a known threat actor group, possibly ShinyHunters, which has a history of targeting Salesforce environments.

Background

AuraInspector is an open-source command-line tool released by Google/Mandiant to audit Salesforce Aura and Experience Cloud applications for data exposure risks. It simulates an unauthenticated or guest user and automatically discovers Aura endpoints, then tests them for access-control misconfigurations that might expose sensitive records.

Threat Actor Activity

• Evidence indicates the threat actor is leveraging a modified version of AuraInspector to perform mass scanning of public-facing Experience Cloud sites.

• While the original AuraInspector is limited to identifying vulnerable objects, the actor's custom version can extract data by exploiting overly permissive guest user settings.

• This allows the attacker to directly query Salesforce CRM objects without logging in, potentially exposing sensitive data.

Customer Implications

• The threat actor activity does not involve a vulnerability in the Salesforce platform but targets customer configuration issues.

• For the attack to work, two conditions must be satisfied: the use of the guest user profile and the presence of excessive permissions.

• Misconfigured sites risk exposing CRM data, which can then be used for targeted social engineering or vishing attacks.

Salesforce Recommendations

• Review and secure Experience Cloud guest user settings to reduce exposure.

• Ensure the Default External Access for all objects is set to Private.

• Disable guest users' access to public APIs.

• Restrict visibility settings to prevent guest users from enumerating internal organization members.

• Disable self-registration if not required.

• Monitor logs for unusual queries.

Threat Actor Attribution

• Salesforce attributes the campaign to a known threat actor group, possibly ShinyHunters, which has a history of targeting Salesforce environments.

• ShinyHunters has claimed to have breached "several hundred" companies as part of the Salesforce Aura Campaign.

Sources

• https://thehackernews.com/2026/03/threat-actors-mass-scan-salesforce.html

• https://securityaffairs.com/189214/security/threat-actors-use-custom-aurainspector-to-harvest-data-from-salesforce-systems.html