THREAT actors are mass-scanning publicly accessible Salesforce Experience Cloud sites using a modified AuraInspector tool to exploit misconfigurations and access sensitive data. The modified AuraInspector, originally released by Google/Mandiant to audit Salesforce Aura and Experience Cloud applications, is being used to go beyond identification by actually extracting data, exploiting overly permissive guest user settings.
Salesforce CSOC warns that misconfigured guest settings can allow access to sensitive records such as Accounts, Contacts and Leads through Aura methods, record lists or GraphQL controllers. The activity has been described as not involving a platform vulnerability but rather customer misconfigurations, with organisations urged to review Experience Cloud guest user settings to reduce exposure, according to Salesforce.
Salesforce attributes the campaign to a known threat actor group, possibly ShinyHunters, known for targeting Salesforce environments through third-party apps. The security advisory from Salesforce advises customers to secure guest settings, restrict public access, disable unnecessary APIs, and monitor logs. March 10, 2026.