SAP NetWeaver vulnerability exploited to breach Linux systems, US firm targeted

Over a three-day breach, attackers exploited CVE-2025-31324—a critical unauthenticated file upload flaw in SAP NetWeaver—to access a U.S. company’s network, retrieve suspicious files, and connect with Auto-Color malware infrastructure before SAP patched the vulnerability

A critical vulnerability in SAP NetWeaver software was exploited by threat actors to deploy the Auto-Color backdoor in a targeted cyberattack against a U.S.-based chemical company in April 2025, according to a report from cybersecurity firm Darktrace.

The attack unfolded over a three-day period, during which intruders gained unauthorized access to the company’s network, attempted to retrieve suspicious files, and established contact with infrastructure linked to the Auto-Color malware. The exploited vulnerability, tracked as CVE-2025-31324, is a severe unauthenticated file upload flaw that permits remote code execution. SAP issued a patch for the vulnerability in April.

Auto-Color, a remote access trojan first analyzed by Palo Alto Networks Unit 42 earlier this year, is capable of targeting Linux systems and has previously been detected in attacks against universities and government institutions across North America and Asia in late 2024.

Stealth tactics and system evasion

The malware exhibits evasive capabilities, remaining dormant if it cannot connect to its command-and-control (C2) server—an intentional design to avoid detection. It includes functions such as reverse shell access, system proxy configuration, file execution, payload manipulation, and even a kill switch for self-removal.

Darktrace's threat detection systems flagged the breach on April 28, identifying the download of a suspicious ELF binary on an internet-facing machine likely running SAP NetWeaver. Indicators suggest scanning activity had begun three days earlier.

The attackers reportedly used the SAP flaw to deploy a second-stage payload, allowing Auto-Color to infiltrate the system. Although C2 communication ultimately failed, the malware demonstrated a sophisticated understanding of Linux architecture and operated with caution to evade security measures.

The incident underscores the urgency of patching enterprise software vulnerabilities and reinforces concerns about growing threats to critical infrastructure sectors.