In April 2025, cybersecurity firm Darktrace successfully detected and contained an attack that exploited CVE-2025-31324, a critical vulnerability in SAP NetWeaver, to deploy the stealthy Auto-Color backdoor malware over three days. A sophisticated cyberattack targeting a US-based chemicals company has revealed the first observed pairing of SAP NetWeaver exploitation with Auto-Color malware, demonstrating how threat actors are leveraging critical vulnerabilities to deploy advanced persistent threats on Linux systems. The attack began with the exploitation of CVE-2025-31324, a critical vulnerability disclosed by SAP SE on April 24, 2025, that affects SAP NetWeaver application servers. Threat actors conducted reconnaissance activities starting April 25, scanning for the vulnerability using URIs containing /developmentserver/metadatauploader before launching the full attack two days later. The Auto-Color backdoor malware, named after its ability to rename itself to /var/log/cross/auto-color after execution, represents a sophisticated Remote Access Trojan (RAT) that has primarily targeted universities and government institutions since November 2024. The attackers then executed a shell script named config.sh via the helper.jsp file, establishing connections to C2 infrastructure at 47.97.42[.]177 over port 3232, an endpoint associated with Supershell, a command-and-control platform linked to China-affiliated threat groups. CVE-2025-31324 SAP NetWeaver attack deployed Auto-Color malware.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 30 Jul 2025 07:35:20 +0000