In April 2025, a U.S.-based chemical company fell victim to a sophisticated cyberattack that exploited a critical vulnerability in SAP NetWeaver, leading to the deployment of the Auto-Color backdoor malware. This incident underscores the persistent threats posed by unpatched software vulnerabilities and the advanced tactics employed by cyber adversaries.
The Vulnerability: CVE-2025-31324
The attack centered around CVE-2025-31324, a severe unauthenticated file upload vulnerability in SAP NetWeaver’s Visual Composer Metadata Uploader component. This flaw allows attackers to upload malicious executable files without authentication, potentially leading to remote code execution and full system compromise. SAP addressed this vulnerability with an out-of-band patch released on April 24, 2025. However, the timing suggests that threat actors were already exploiting this flaw before the patch was available.
The Attack Timeline
According to cybersecurity firm Darktrace, the attack unfolded over several days:
– April 25, 2025: Initial reconnaissance activities were detected, indicating that attackers were scanning for vulnerable SAP NetWeaver instances.
– April 27, 2025: Active exploitation commenced. An internet-exposed machine, likely running SAP NetWeaver, downloaded a suspicious ZIP file from a malicious IP address (91.193.19[.]109). This was followed by DNS tunneling requests to Out-of-Band Application Security Testing (OAST) domains, a technique often used for data exfiltration or command-and-control (C2) communication.
– April 28, 2025: The compromised device downloaded an ELF (Executable and Linkable Format) binary representing the Auto-Color malware from another malicious IP address (146.70.41[.]178). Subsequent attempts to establish communication with C2 infrastructure were observed but ultimately failed.
Auto-Color Malware: An Overview
First documented by Palo Alto Networks’ Unit 42 in February 2025, Auto-Color is a sophisticated Remote Access Trojan (RAT) targeting Linux systems. Notable for its evasive techniques, the malware can:
– Adapt Behavior: Auto-Color adjusts its actions based on the privileges it possesses on the compromised system.
– Maintain Persistence: It leverages the ‘ld.so.preload’ mechanism for stealthy persistence through shared object injection.
– Evade Detection: If unable to connect to its C2 server, Auto-Color suppresses its malicious activities, appearing benign to avoid detection.
The malware’s capabilities include establishing reverse shells, creating and executing files, configuring system proxies, manipulating global payloads, profiling the system, and self-removal upon activation of a kill switch.
Attribution and Broader Implications
While the specific threat actors behind this attack remain unidentified, previous incidents involving CVE-2025-31324 have been linked to Chinese state-sponsored groups. For instance, Forescout Vedere Labs reported that a group dubbed Chaya_004 exploited this vulnerability to deploy Golang-based SuperShell malware. This suggests a broader pattern of exploitation by sophisticated adversaries targeting critical infrastructure.
Mitigation and Recommendations
Organizations utilizing SAP NetWeaver should take immediate action to mitigate potential risks:
1. Apply Patches Promptly: Ensure that all SAP NetWeaver instances are updated with the latest patches, particularly those addressing CVE-2025-31324.
2. Monitor Network Activity: Implement continuous monitoring to detect unusual activities, such as unauthorized file uploads or unexpected outbound connections.
3. Restrict Exposure: Limit the exposure of SAP NetWeaver systems to the internet by configuring firewalls and access controls appropriately.
4. Conduct Regular Audits: Perform regular security audits to identify and remediate potential vulnerabilities within the network.
5. Educate Personnel: Train staff on recognizing phishing attempts and other common attack vectors to reduce the risk of initial compromise.
Conclusion
The exploitation of SAP NetWeaver’s CVE-2025-31324 vulnerability to deploy Auto-Color malware highlights the critical importance of timely patch management and robust cybersecurity practices. As threat actors continue to evolve their tactics, organizations must remain vigilant and proactive in safeguarding their systems against such sophisticated attacks.
