SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm
Summary:
Cybersecurity firm Darktrace has revealed the first documented case of attackers exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deliver Auto-Color, a stealthy Linux-based remote access trojan. Disclosed by SAP SE on April 24, 2025, and rated with a CVSS score of 10, this vulnerability allows malicious actors to upload files directly to the SAP NetWeaver application server, enabling remote code execution and full system compromise if exploited. Auto-Color, first detected in November 2024, has previously targeted universities and government institutions in the U.S. and Asia. The malware is designed for evasion and persistence, renaming itself post-infection to “/var/log/cross/auto-color” and leveraging ld.so.preload for stealthy compromise. Each variant contains encrypted, statically compiled C2 configurations, and it can suppress activity by simulating dormancy when unable to connect to its command-and-control server—making detection and analysis more difficult.
Darktrace observed a multi-stage attack on a U.S.-based chemicals company beginning April 25, 2025, when scanning for CVE-2025-31324 started. By April 27, exploitation was underway, marked by a suspicious ZIP file download from an IP, followed by Out-of-Band Application Security Testing DNS requests, often used for data exfiltration or vulnerability checks. Later that day, the device downloaded a config.sh shell script, and then connected to Supershell, a C2 framework. Less than 12 hours later, the Auto-Color ELF payload was downloaded, confirming the malware's deployment. Darktrace’s AI-powered Autonomous Response quickly intervened on April 28, placing the compromised system into a restricted “pattern of life” mode for 30 minutes to halt further malicious behavior while maintaining normal operations. Upon further alerts and review, the Autonomous Response was extended for 24 hours, providing the affected organization’s security team critical time to investigate and remediate the threat.
Security Officer Comments:
This incident underscores how even after public disclosure, unpatched SAP systems continue to face exploitation, and attackers are pairing vulnerabilities with advanced malware to execute targeted intrusions. Security experts at Qualys emphasize the urgency of patching SAP NetWeaver systems. If patching is not immediately feasible, organizations are urged to isolate affected servers, block vulnerable endpoints (such as /developmentserver/metadatauploader), and adopt zero-trust security models to reduce exposure.
Suggested Corrections:
Link(s):
https://hackread.com/sap-netweaver-vulnerability-auto-color-malware-us-firm/
Cybersecurity firm Darktrace has revealed the first documented case of attackers exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deliver Auto-Color, a stealthy Linux-based remote access trojan. Disclosed by SAP SE on April 24, 2025, and rated with a CVSS score of 10, this vulnerability allows malicious actors to upload files directly to the SAP NetWeaver application server, enabling remote code execution and full system compromise if exploited. Auto-Color, first detected in November 2024, has previously targeted universities and government institutions in the U.S. and Asia. The malware is designed for evasion and persistence, renaming itself post-infection to “/var/log/cross/auto-color” and leveraging ld.so.preload for stealthy compromise. Each variant contains encrypted, statically compiled C2 configurations, and it can suppress activity by simulating dormancy when unable to connect to its command-and-control server—making detection and analysis more difficult.
Darktrace observed a multi-stage attack on a U.S.-based chemicals company beginning April 25, 2025, when scanning for CVE-2025-31324 started. By April 27, exploitation was underway, marked by a suspicious ZIP file download from an IP, followed by Out-of-Band Application Security Testing DNS requests, often used for data exfiltration or vulnerability checks. Later that day, the device downloaded a config.sh shell script, and then connected to Supershell, a C2 framework. Less than 12 hours later, the Auto-Color ELF payload was downloaded, confirming the malware's deployment. Darktrace’s AI-powered Autonomous Response quickly intervened on April 28, placing the compromised system into a restricted “pattern of life” mode for 30 minutes to halt further malicious behavior while maintaining normal operations. Upon further alerts and review, the Autonomous Response was extended for 24 hours, providing the affected organization’s security team critical time to investigate and remediate the threat.
Security Officer Comments:
This incident underscores how even after public disclosure, unpatched SAP systems continue to face exploitation, and attackers are pairing vulnerabilities with advanced malware to execute targeted intrusions. Security experts at Qualys emphasize the urgency of patching SAP NetWeaver systems. If patching is not immediately feasible, organizations are urged to isolate affected servers, block vulnerable endpoints (such as /developmentserver/metadatauploader), and adopt zero-trust security models to reduce exposure.
Suggested Corrections:
- Apply SAP’s patch for CVE-2025-31324 immediately to prevent exploitation.
- Block or restrict internet access to vulnerable SAP NetWeaver systems and the /developmentserver/metadatauploader endpoint.
- Implement Zero Trust architecture to control and verify all network interactions.
- Deploy behavior-based and autonomous detection tools to identify and contain unusual activity.
- Monitor for suspicious activity, including abnormal DNS requests, shell script execution, and unauthorized ELF binaries.
Link(s):
https://hackread.com/sap-netweaver-vulnerability-auto-color-malware-us-firm/