Attackers are mass-scanning Salesforce Experience Cloud sites using a modified AuraInspector tool to exploit misconfigurations and access sensitive data.
Salesforce CSOC warns that threat actors are mass-scanning publicly accessible Experience Cloud sites using a modified version of the AuraInspector tool.
AuraInspector is an open‑source command‑line tool released by Google/Mandiant to audit Salesforce Aura and Experience Cloud applications for data exposure risks. It simulates an unauthenticated or guest user and automatically discovers Aura endpoints, then tests them for access‑control misconfigurations that might expose sensitive records (e.g., Accounts, Contacts, Leads) via Aura methods, record lists, or GraphQL controllers.
The campaign targets misconfigured guest user settings that are overly permissive, allowing attackers to access sensitive data from exposed environments.
“Evidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to perform mass scanning of public-facing Experience Cloud sites.” reads the report published by Salesforce. “While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings. “
EXPLORE MORE
Unprivileged users could exploit AppArmor bugs to gain root access
Researchers found nine “CrackArmor” flaws in Linux AppArmor that could let unprivileged…
Doctor who approved euthanasia at Tim Hortons allowed to continue medical practice
(LifeSiteNews) — A Canadian doctor who assessed a man for euthanasia outside…
U.S. CISA adds Google Chrome flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chrome flaws to…
Attackers exploit FortiGate devices to access sensitive network information
Attackers are exploiting FortiGate devices to breach networks and steal configuration data…
Missing Juvenile Janetlee Knox from the 14th District
The Philadelphia Police Department is seeking the public’s assistance in locating missing…
SpaceX signs $30 billion AI deal with Google — RT World News
Anthropic similarly agreed to pay Elon Musk’s tech company $45 billion for…
Misconfigured sites risk exposing CRM data, which can then be used for targeted social engineering or vishing attacks.
The company said the activity does not involve a platform vulnerability but exploits customer misconfigurations. Organizations are urged to review and secure Experience Cloud guest user settings to reduce exposure.
“At this time, we have not identified any vulnerability inherent to the Salesforce platform associated with this activity. These attempts are focused on customer configuration settings that, if not properly secured, may increase exposure.” reads the security advisory. “We encourage customers to review their Experience Cloud guest user settings and take immediate recommended actions. For additional details and steps to help protect your org, please see our blog: https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/“
Salesforce attributes the campaign to a known threat actor group, possibly ShinyHunters, known for targeting Salesforce environments through third-party apps. The company urges customers to secure Experience Cloud guest settings, restrict public access, disable unnecessary APIs, and monitor logs.
