A critical flaw in SAP NetWeaver has been exploited by hackers to deliver the Auto-Color backdoor, with one confirmed attack on a foreign country’s chemical company in April 2025.
Flaw Enables Remote Code Execution
The vulnerability, tracked as CVE-2025-31324, allowed unauthenticated file uploads that led to remote code execution (RCE). SAP patched the flaw in April, but threat actors had already used it to breach enterprise systems.
According to a report by Darktrace, the attackers infiltrated a network over three days. They downloaded suspicious files and connected to known Auto-Color malware infrastructure during the breach.
Linux Backdoor Capable of Full Remote Control
Auto-Color is a remote access trojan (RAT) discovered in 2024 by Unit 42 at Palo Alto Networks. It provides attackers with deep access to Linux machines. Key features include:
- Reverse shell control
- File creation and execution
- System profiling and proxy configuration
- Payload manipulation and self-removal
The malware remains dormant if it fails to reach its command-and-control (C2) server, making it harder to detect.
Attack Timeline and Tactics
The breach occurred on April 28, when Darktrace identified a suspicious ELF binary download on a system running SAP NetWeaver. However, scanning activity had started three days earlier. The attackers leveraged the SAP flaw to deliver Auto-Color as a second-stage payload, compromising an internet-facing device.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Darktrace noted the malware showed a deep understanding of Linux internals and executed the attack with precision and stealth, avoiding unnecessary exposure.
Financial and Government Sectors at Risk
Auto-Color has previously targeted universities and government agencies across North America and Asia. This latest attack shows a shift towards industrial and enterprise targets, using known software vulnerabilities as the entry point.
Security teams using SAP NetWeaver are urged to review logs, apply all patches, and monitor for signs of ELF binary downloads or suspicious outbound traffic.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing.