Threat actors use custom AuraInspector to harvest data from Salesforce systems

3 Min Read

Attackers are mass-scanning Salesforce Experience Cloud sites using a modified AuraInspector tool to exploit misconfigurations and access sensitive data.

Salesforce CSOC warns that threat actors are mass-scanning publicly accessible Experience Cloud sites using a modified version of the AuraInspector tool.

AuraInspector is an open‑source command‑line tool released by Google/Mandiant to audit Salesforce Aura and Experience Cloud applications for data exposure risks. It simulates an unauthenticated or guest user and automatically discovers Aura endpoints, then tests them for access‑control misconfigurations that might expose sensitive records (e.g., Accounts, Contacts, Leads) via Aura methods, record lists, or GraphQL controllers.

The campaign targets misconfigured guest user settings that are overly permissive, allowing attackers to access sensitive data from exposed environments.


What do you think? Post a comment.


“Evidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to perform mass scanning of public-facing Experience Cloud sites.” reads the report published by Salesforce. “While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings. “

- Advertisement -

EXPLORE MORE

US blockade of Cuba killing children – UN commissioner

The sanctions imposed on the island nation by Washington are incompatible with…

Cisco flags ongoing exploitation of two recently patched Catalyst SD-WAN flaws

Cisco warns that two recently patched Catalyst SD-WAN flaws, CVE-2026-20128 and CVE-2026-20122,…

Missing Juvenile Mariyah Santoni from the 15th District

The Philadelphia Police Department is asking for the public’s assistance in locating…

Army officer sentenced to 12 years in prison for secretly feeding woman abortion pills

(LifeSiteNews) — U.S. Army Capt. Brandon Jones-Adams has been sentenced to 12…

Missing Juvenile Nayely Rodriguez from the 2nd District

The Philadelphia Police Department is asking for the public’s assistance in locating…

Archdiocese of Detroit could end Sunday Mass at up to 90 parishes

(LifeSiteNews) — The Archdiocese of Detroit released parish restructuring models showing weekend…

Misconfigured sites risk exposing CRM data, which can then be used for targeted social engineering or vishing attacks.

The company said the activity does not involve a platform vulnerability but exploits customer misconfigurations. Organizations are urged to review and secure Experience Cloud guest user settings to reduce exposure.

“At this time, we have not identified any vulnerability inherent to the Salesforce platform associated with this activity. These attempts are focused on customer configuration settings that, if not properly secured, may increase exposure.” reads the security advisory. “We encourage customers to review their Experience Cloud guest user settings and take immediate recommended actions. For additional details and steps to help protect your org, please see our blog: https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/

Salesforce systems

Salesforce attributes the campaign to a known threat actor group, possibly ShinyHunters, known for targeting Salesforce environments through third-party apps. The company urges customers to secure Experience Cloud guest settings, restrict public access, disable unnecessary APIs, and monitor logs.

Pierluigi Paganini



Share This Article

CONVERSATION

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments