SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm

Darktrace, a leading cybersecurity research firm, has identified what is believed to be the first documented instance of threat actors exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy the evasive Auto-Color backdoor malware.

This flaw, disclosed by SAP SE on April 24, 2025 and assigned a CVSS score of 10, is particularly dangerous as it enables attackers to upload malicious files to the SAP NetWeaver application server, potentially leading to remote code execution and full system compromise.

****About Auto-Color****

The Auto-Color Backdoor, first seen in November 2024 and previously observed targeting systems in the US and Asia, is a Remote Access Trojan (RAT) named for its ability to rename itself to “/var/log/cross/auto-color” post-execution. It primarily targets Linux systems, often found in universities and government institutions in the US and Asia.

Auto-Color is highly evasive, exploiting built-in Linux features like ld.so.preload for persistent system compromise. Each instance is unique due to statically compiled and encrypted command-and-control (C2) configurations. A key new finding is the malware’s suppression tactic: it can “pretend to be sleep” if C2 connections fail, appearing benign to analysts and hiding its full capabilities during analysis.

****Attack Timeline: SAP Exploit to Malware Delivery****

This crucial research was shared with Hackread.com ahead of its publishing on Tuesday, according to which in April 2025, Darktrace Security Operations Centre (SOC) identified a multi-stage Auto-Color attack on a US-based chemicals company’s network.

According to researchers, initial scanning for CVE-2025-31324 was observed from April 25. Active exploitation began on April 27, with an incoming connection from IP 91.193.19.109 and a ZIP file download signalling the exploit.

The compromised device immediately made suspicious DNS requests for Out-of-Band Application Security Testing (OAST) domains on April 27 and 28, a tactic for vulnerability testing or data tunnelling.

Timeline of Exploit (Source: Darktrace)

Roughly ten hours later, on April 27, a shell script (config.sh) was downloaded. The device then made connections to 47.97.42.177, an endpoint linked to Supershell, a C2 platform. Less than 12 hours later, on April 28, the Auto-Color ELF malware file was downloaded from 146.70.41.178. Darktrace’s investigation confirmed this was the first observed pairing of SAP NetWeaver exploitation with Auto-Color malware.

****AI-Powered Security Halts Stealthy Intrusion****

Darktrace’s AI-driven Autonomous Response capability quickly intervened, enforcing a “pattern of life” on the affected device for 30 minutes, starting on April 28. This prevented further malicious actions while allowing normal business operations. Multiple alerts were triggered, prompting investigation by Darktrace’s Managed Detection and Response (MDR) service.

Alerts from the device’s Model Alert Log (Source: Darktrace)

Analysts extended the Autonomous Response actions for an additional 24 hours, giving the customer’s security team crucial time for investigation and remediation.

This incident highlights that despite urgent disclosures, vulnerabilities like CVE-2025-31324 remain actively exploited, leading to more persistent threats. Darktrace’s timely detection and autonomous response ensured the threat was contained, preventing escalation and demonstrating the power of AI in thwarting sophisticated, multi-stage attacks.

Since CVE-2025-31324 remains actively exploited despite disclosure, organisations should take immediate actions, said Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit.

“Immediately patch SAP NetWeaver systems against CVE-2025-31324, but if for some reason, they cannot install the patch, they should immediately stop exposing these SAP NetWeaver installations on the internet, isolate them and block the /developmentserver/metadatauploader endpoint and also deploy a zero-trust architecture that assumes breach and verifies every network transaction before transmission.”, stressed Mayuresh.