SAP Turmoil in the Lab
- Javier Conejo del Cerro
- 31 jul
- 4 Min. de lectura
A stealthy threat has emerged from the world of enterprise software: cybercriminals are actively exploiting CVE-2025-31324, a critical vulnerability in SAP NetWeaver, to deploy a Linux-targeting backdoor known as Auto-Color. This remote access trojan (RAT) has been used to infiltrate critical infrastructure, with a confirmed attack in April 2025 against a U.S.-based chemicals firm. The flaw, a now-patched unauthenticated file upload vulnerability, allowed attackers to remotely place malicious files on unprotected SAP servers and launch second-stage malware.
Auto-Color is no ordinary backdoor. Designed for stealth and persistence, it blends into Linux environments while granting threat actors full remote control of infected systems. The malware can self-hide when C2 (command-and-control) infrastructure is unreachable, a sign of calculated evasion. With support for reverse shells, file execution, proxy hijacking, system profiling, and more, Auto-Color is an advanced tool in the hands of skilled adversaries—one that can be deployed swiftly in enterprise Linux environments by exploiting a single SAP misconfiguration.
Chemicals Exposed
The victims of this campaign are not random targets but high-value enterprise environments that rely on SAP NetWeaver to power core operational systems. While the most visible breach involved a U.S.-based chemical company, the sectors at risk extend far beyond industrial manufacturing. Education and government networks have also been identified as past targets in campaigns where Auto-Color was used to quietly exfiltrate data and maintain long-term access.
The common factor among all victims is the use of unpatched SAP NetWeaver instances on Linux servers exposed to the internet. These hosts often support essential business workflows and remain visible through automated scanning tools. Once attackers identify a vulnerable system running SAP NetWeaver without the latest security updates, they act quickly to exploit the CVE-2025-31324 flaw—using it to upload a malicious ELF binary and initiate a full compromise.
What makes these victims especially vulnerable is the convergence of legacy configurations, insufficient monitoring of Linux endpoints, and the complexity of SAP landscapes that often delays patch management. By compromising SAP NetWeaver, attackers don’t just gain access to a single server—they breach a digital control panel used to manage workflows, user data, and enterprise integrations across business-critical functions.
Acidic Reaction
The breach begins with reconnaissance. Threat actors continuously scan the internet for SAP NetWeaver servers running outdated or misconfigured software. Once a vulnerable host is found, they exploit CVE-2025-31324—a remote, unauthenticated file upload vulnerability—to place a malicious ELF binary on the target Linux system. This file is Auto-Color, a backdoor engineered to run silently while granting attackers a powerful foothold.
Darktrace, the firm that uncovered the April 2025 incident, noted that initial signs of scanning began three days before the malware was delivered. After successful exploitation, the ELF payload attempted to contact a command-and-control server. If blocked by firewalls or EDR systems, Auto-Color activates an evasion mode, suppressing signs of malicious behavior to avoid detection. If the connection is successful, the malware goes live, enabling a wide range of capabilities:
Launching reverse shells to issue commands directly from attacker infrastructure
Executing arbitrary files on the compromised system
Reconfiguring proxy settings to hijack network traffic
Profiling the infected system to inform further attacks
Modifying payload behavior based on attacker intent
Triggering self-removal through a built-in kill switch
Darktrace observed one such attack in which the actor remained inside the compromised network for three days. During this time, they refrained from aggressive moves, instead performing quiet reconnaissance and system fingerprinting. This behavior strongly suggests that Auto-Color’s operators are experienced Linux adversaries, capable of evading traditional detection techniques by blending in with legitimate traffic and processes.
The Antidote
Defending against Auto-Color and similar malware strains begins with proactive hardening of enterprise Linux environments, particularly those hosting SAP workloads. Given the critical nature of the vulnerability and the stealthy behavior of the malware, organizations must assume that scans and exploitation attempts are already underway.
The following measures can significantly reduce the risk of compromise:
Patch immediately: Apply SAP’s security update addressing CVE-2025-31324 across all NetWeaver instances. Prioritize internet-exposed servers.
Monitor Linux endpoints: Watch for unusual ELF file downloads, especially in directories commonly used for SAP operations.
Inspect outbound traffic: Investigate unexpected C2 communications, proxy reconfigurations, or suspicious lateral traffic within your network.
Deploy EDR solutions: Ensure Linux endpoints are covered by modern endpoint detection and response (EDR) tools capable of detecting evasive behaviors.
Audit SAP access logs: Review for anomalous remote access patterns or file uploads, especially outside normal business hours.
Isolate core SAP servers: Segment SAP NetWeaver environments from the rest of your network to reduce lateral movement.
Prepare for evasive malware: Train SOC teams to recognize malware that may appear benign until it establishes a C2 connection.
Validate backups: Ensure regular backups are tested, immutable, and disconnected from the main network to prevent overwrite during attack escalation.
Auto-Color is a warning shot for Linux-based enterprise environments: a sign that advanced attackers are willing to leverage even niche vulnerabilities in vertical-specific software. Early detection and disciplined patch management remain the first line of defense. Once embedded, threats like Auto-Color are designed to hide—and to stay.
Comentarios