Hackers Target SAP Vulnerability to Breach Linux Systems and Deploy Auto-Color Malware
July 30, 2025
Vulnerability / Threat Intelligence
Threat actors have been found exploiting a critical SAP NetWeaver vulnerability, now patched, to introduce the Auto-Color backdoor in an April 2025 attack on a U.S.-based chemicals firm. According to a report from Darktrace shared with The Hacker News, the attacker accessed the company’s network over three days, attempted to download suspicious files, and communicated with infrastructure associated with the Auto-Color malware. The vulnerability, identified as CVE-2025-31324, is a severe unauthenticated file upload flaw in SAP NetWeaver that allows remote code execution (RCE) and was fixed by SAP in April. Auto-Color, first reported by Palo Alto Networks Unit 42 in February, operates similarly to a remote access trojan, providing remote access to compromised Linux systems. It has been linked to attacks against universities and government entities in North America and Asia between November and December 2024.
Vulnerability / Threat Intelligence
Hackers Exploit SAP Vulnerability to Target U.S. Chemical Company with Auto-Color Malware On July 30, 2025, cybersecurity experts reported a significant breach involving a critical vulnerability in SAP NetWeaver, previously patched by SAP. In an incident that unfolded over three days in April 2025, threat actors targeted a U.S.-based chemicals…
Hackers Target SAP Vulnerability to Breach Linux Systems and Deploy Auto-Color Malware
July 30, 2025
Vulnerability / Threat Intelligence
Threat actors have been found exploiting a critical SAP NetWeaver vulnerability, now patched, to introduce the Auto-Color backdoor in an April 2025 attack on a U.S.-based chemicals firm. According to a report from Darktrace shared with The Hacker News, the attacker accessed the company’s network over three days, attempted to download suspicious files, and communicated with infrastructure associated with the Auto-Color malware. The vulnerability, identified as CVE-2025-31324, is a severe unauthenticated file upload flaw in SAP NetWeaver that allows remote code execution (RCE) and was fixed by SAP in April. Auto-Color, first reported by Palo Alto Networks Unit 42 in February, operates similarly to a remote access trojan, providing remote access to compromised Linux systems. It has been linked to attacks against universities and government entities in North America and Asia between November and December 2024.