Global cybersecurity agencies are sounding the alarm over a new wave of attacks leveraging a sophisticated Linux-based backdoor known as “Auto-Color,” which is now actively exploiting a critical vulnerability in SAP NetWeaver. This marks a significant escalation, as the advanced remote access Trojan (RAT), previously observed targeting universities and government institutions, is now impacting enterprise resource planning (ERP) systems.
The vulnerability, tracked as CVE-2025-31324, is an unauthenticated file upload flaw in SAP NetWeaver’s Visual Composer. This critical flaw allows attackers to upload arbitrary files, including malicious executables, to vulnerable servers, potentially leading to full system compromise and remote code execution. Despite SAP having issued patches for this vulnerability in April 2025, reports indicate active exploitation in the wild, underscoring the urgency for organizations to apply these updates immediately.
Cybersecurity firm Darktrace recently detailed an incident in April where a U.S.-based chemicals company was targeted. The attack began with the exploitation of CVE-2025-31324, allowing threat actors to deploy the Auto-Color malware. Auto-Color, named for its self-renaming capability to /var/log/cross/auto-color after execution, is highly evasive. It’s designed to establish persistence on Linux systems by manipulating ld.so.preload, a powerful technique that ensures the malicious library loads before any others, silently hooking and overriding standard system functions.
What makes Auto-Color particularly concerning is its adaptive behavior. If executed without root privileges, it operates with limited functionality to avoid detection. However, with root access, it performs a more invasive installation, masquerading as a legitimate C utility library (libcext.so.2) to blend into trusted system components. Furthermore, the malware suppresses most of its activity if it fails to establish an outbound connection to its command-and-control (C2) server, an evasion tactic designed to appear dormant in sandboxed or offline environments.
This development highlights the urgent need for robust security postures, especially for organizations utilizing SAP NetWeaver. Experts stress that traditional SAP Basis teams often lack experience dealing with advanced RATs. Therefore, a collaborative approach integrating SAP security into broader IT security operations, coupled with immediate patching and continuous monitoring for unusual activity, is paramount to defend against this evolving threat.
