Hackers exploit SAP NetWeaver bug to deploy Linux Auto-Color malware

According to the latest research by Darktrace, the threat actors behind Auto-Color exploit CVE-2025-31324, a critical vulnerability in NetWeaver that allows unauthenticated attackers to upload malicious binaries to achieve remote code execution (RCE). Cybersecurity firm Darktrace discovered the attack during an incident response in April 2025, where an investigation revealed that the Auto-Color malware had evolved to include additional advanced evasion tactics. Hackers were spotted exploiting a critical SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Color Linux malware in a cyberattack on a U.S.-based chemicals company. The Auto-Color malware was first documented by Palo Alto Networks' Unit 42 researchers in February 2025, who highlighted its evasive nature and difficulty in eradicating once it has established a foothold on a machine. "If the C2 server is unreachable, Auto-Color effectively stalls and refrains from deploying its full malicious functionality, appearing benign to analysts," explains Darktrace. Auto-Color features capabilities such as arbitrary command execution, file modification, reverse shell for full remote access, proxy traffic forwarding, and dynamic configuration updating. SAP fixed the flaw in April 2025, while security firms ReliaQuest, Onapsis, and watchTowr reported seeing active exploitation attempts, which culminated only a few days later. Darktrace reports that the attack started on April 25, but active exploitation occurred two days later, delivering an ELF (Linux executable) file onto the targeted machine. Apart from the initial access vector, Darktrace also discovered a new evasion measure implemented on the latest version of Auto-Color. By May, ransomware actors and Chinese state hackers had joined in the exploitation activity, while Mandiant reported unearthing evidence of zero-day exploitation for CVE-2025-31324 since at least mid-March 2025. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. With Auto-Color now actively exploiting CVE-2025-31324, administrators should act quickly to apply the security updates or mitigations provided in the customer-only SAP bulletin.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 29 Jul 2025 16:15:15 +0000