Salesforce says threat actors are increasingly targeting publicly accessible Experience Cloud sites by using a customized version of the open-source AuraInspector tool to scan for overly permissive guest-user configurations. According to the company, the activity is aimed at finding sites where misconfigurations allow access to sensitive information.
The company said attackers are abusing guest-user access on Experience Cloud deployments that expose more data than intended. By modifying AuraInspector, the actors can identify and interact with Salesforce Aura endpoints in ways that help them enumerate site components and look for openings created by insecure guest-user settings.
Salesforce described the issue as a customer-configuration problem rather than a flaw in the platform itself. The company said the activity involves exploitation of customers’ overly permissive Experience Cloud guest-user configurations to obtain access to sensitive information from exposed sites.
The latest warning fits a broader pattern of cloud-platform data exposure that Cyberwarzone has covered before, including the incident in which data from Salesforce customers was stolen through Gainsight apps and cloud-native attack activity that turned configuration weaknesses into data-theft opportunities.
Salesforce’s warning centers on publicly accessible Experience Cloud sites that are configured in ways that grant guest users more access than they should have. The use of a modified AuraInspector tool shows the activity is structured around mass discovery and targeted follow-on access rather than opportunistic browsing.
