- A critical flaw in SAP NetWeaver is still being abused, months after patching
- Researchers saw it used to deploy Auto-Color
- This backdoor remains dormant when not in use
A vulnerability in SAP NetWeaver is being exploited to deploy Linux malware capable of running arbitrary system commands and deploying additional payloads, experts have warned.
Security researchers from Palo Alto Networks’ Unit 42 discovered a piece of malware called Auto-Color, a Linux backdoor, dubbed for its ability to rename itself after installation.
The researchers found it was capable of opening reverse shells, executing arbitrary system commands, acting as a proxy, uploading and modifying files, as well as adjusting settings dynamically. It was also discovered that the backdoor remains mostly dormant if its C2 server is unreachable, effectively evading detection by staying inactive until the operator instructions arrive.
Salt Typhoon
However, the researchers weren’t able to determine the initial infection vector – how the malware made it onto target endpoints remained a mystery – until now.
Responding to an incident in April 2025, cybersecurity experts from Darktrace investigated an Auto-Color infection on a US-based chemicals company. They were able to determine that the initial infection vector was a critical vulnerability in SAP NetWeaver, a technology platform developed that serves as the technical foundation for many SAP applications.
The vulnerability was found in the platform’s Visual Composer Metadata Uploader element, which was not protected with a proper authorization. As a result, unauthenticated agents were allowed to upload potentially malicious executable binaries that could do severe damage. It is tracked as CVE-2025-31324, and was given a severity score of 9.8/10 – critical.
SAP fixed the issue in late April 2025, but at the time, multiple security firms were already seeing attacks in the wild. ReliaQuest, Onapsis, watchTowr, Mandiant, all reported observing threat actors leveraging this flaw, and among them – Chinese state-sponsored groups, as well.
Given the destructive potential of the flaw, and the fact that a patch is available for months now, Linux admins are advised to apply it without hesitation and mitigate potential threats.
Via BleepingComputer
