Ethical Hacking News
Threat actors are exploiting misconfigurations in publicly accessible Salesforce Experience Cloud sites using a customized version of the open-source tool AuraInspector. The attackers are gaining unauthorized access to sensitive data by leveraging overly permissive guest user settings, which can be used for targeted social engineering and 'vishing' campaigns.
Salesforce has warned of a significant increase in malicious activity targeting its Experience Cloud sites due to overly permissive guest user configurations. A custom version of the open-source tool AuraInspector is being used by threat actors to exploit these misconfigurations and gain unauthorized access to sensitive data. Publicly accessible Salesforce sites are vulnerable if their guest user profiles have excessive permissions, allowing attackers to directly query CRM objects without logging in. Salesforce recommends reviewing Experience Cloud guest user settings, disabling public API access for guest users, and restricting visibility settings to prevent unauthorized access. The threat actor activity highlights the importance of regular security audits, configuration reviews, and adherence to recommended security guidelines to protect against identity-based attacks.
Salesforce, a leading cloud-based customer relationship management (CRM) platform, has issued an alert regarding a significant increase in malicious activity targeting its publicly accessible Experience Cloud sites. The threat actors, who have been utilizing a modified version of the open-source tool AuraInspector, are taking advantage of customers' overly permissive guest user configurations to gain unauthorized access to sensitive data.
AuraInspector is an open-source tool designed to help security teams identify and audit access control misconfigurations within the Salesforce Aura framework. The original AuraInspector was released by Google-owned Mandiant in January 2026 and has been limited to identifying vulnerable objects by probing API endpoints that these sites expose. However, the threat actors have developed a custom version of the tool capable of extracting data from public-facing Experience Cloud sites, exploiting overly permissive guest user settings.
Publicly accessible Salesforce sites rely on a dedicated guest user profile that enables an unauthenticated user to access landing pages, FAQs, and knowledge articles. If this profile is misconfigured with excessive permissions, it can potentially grant unauthenticated users access to more data than intended. This security weakness can be exploited by attackers to directly query Salesforce CRM objects without logging in. For the attack to work, two conditions must be satisfied: customers are using the guest user profile and have not adhered to Salesforce's recommended configuration guidance.
Salesforce has stated that it has not identified any vulnerability inherent to the platform associated with this activity. Instead, the company attributes the campaign to a known threat actor group without taking its name, raising the possibility that it could be the work of ShinyHunters (aka UNC6240), which has a history of targeting Salesforce environments via third-party applications from Salesloft and Gainsight.
To mitigate this threat, Salesforce recommends customers review their Experience Cloud guest user settings, ensure the Default External Access for all objects is set to Private, disable guest users' access to public APIs, restrict visibility settings to prevent guest users from enumerating internal organization members, disable self-registration if not required, and monitor logs for unusual queries. The company also notes that this threat actor activity reflects a broader trend of 'identity-based' targeting.
The attackers have been using the customized AuraInspector tool to perform mass scanning of public-facing Experience Cloud sites. This indicates that the threat actors are taking advantage of customers' misconfigurations to gain access to sensitive data, which can be used for targeted social engineering and 'vishing' (voice phishing) campaigns. The use of a custom version of an open-source tool underscores the creativity and resourcefulness of the threat actors in exploiting vulnerabilities.
The incident highlights the importance of regular security audits and configuration reviews for Experience Cloud customers. Failure to adhere to recommended configuration guidance can leave organizations vulnerable to exploitation by malicious actors. Salesforce's recommendations serve as a timely reminder to ensure that guest user settings are properly secured, and default external access is restricted to prevent unauthorized access to sensitive data.
The threat actor activity also underscores the need for organizations to implement robust security measures to protect their data against identity-based attacks. By following best practices and implementing effective security controls, businesses can reduce the risk of falling victim to targeted social engineering campaigns.
In conclusion, the mass-scan malware incident highlights the importance of regular security audits, configuration reviews, and adherence to recommended security guidelines. As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and implement robust security measures to protect their data against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Mass-Scan-Malware-Threat-Actors-Exploit-Salesforce-Experience-Cloud-Misconfigurations-via-Customized-AuraInspector-Tool-ehn.shtml
https://thehackernews.com/2026/03/threat-actors-mass-scan-salesforce.html
https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/
Published: Tue Mar 10 04:21:50 2026 by llama3.2 3B Q4_K_M
