Ethical Hacking News
Recently discovered Auto-Color malware has been found to exploit a now-patched critical SAP NetWeaver vulnerability, compromising Linux systems and enabling remote access. This sophisticated attack highlights the ongoing threat posed by remote access trojans (RATs) and emphasizes the need for timely patching and robust cybersecurity measures.
Hackers exploited a now-patched critical vulnerability in SAP NetWeaver to deliver the Auto-Color backdoor, a remote access trojan (RAT) designed to enable unauthorized access to compromised Linux hosts. The vulnerability, CVE-2025-31324, is a severe unauthenticated file upload bug that enables remote code execution (RCE). Despite being patched by SAP in April, the exploit was still successful due to various factors. The Auto-Color malware functions like a remote access trojan, enabling remote access to compromised Linux hosts and supports features like reverse shell and file creation. The malware is designed to evade detection by giving the impression that it's benign if it fails to establish communication with its command-and-control (C2) server. Timely patching and robust cybersecurity measures are crucial in protecting against sophisticated attacks like Auto-Color.
In a recent development that highlights the ongoing struggle between cybersecurity professionals and threat actors, hackers have been observed exploiting a now-patched critical vulnerability in SAP NetWeaver to deliver the Auto-Color backdoor, a remote access trojan (RAT) designed to enable unauthorized access to compromised Linux hosts. This attack targeted a U.S.-based chemicals company in April 2025, with threat actors gaining access to the customer's network over the course of three days.
The vulnerability in question is CVE-2025-31324, a severe unauthenticated file upload bug in SAP NetWeaver that enables remote code execution (RCE). Despite being patched by SAP in April, the exploit was still successful due to various factors. According to Darktrace, which detected this incident, the threat actors leveraged this vulnerability to launch a second-stage attack involving the compromise of an internet-facing device and the download of an ELF file representing the Auto-Color malware.
The Auto-Color malware functions akin to a remote access trojan, enabling remote access to compromised Linux hosts. It was first documented by Palo Alto Networks Unit 42 earlier in February this year and has since been observed in attacks targeting universities and government organizations in North America and Asia between November and December 2024.
What makes the Auto-Color malware particularly concerning is its ability to hide its malicious behavior, failing to connect to its command-and-control (C2) server if it fails to establish communication. This suggests that the threat actors are attempting to evade detection by giving the impression that the malware is benign. However, the Auto-Color malware supports a range of features, including reverse shell, file creation and execution, system proxy configuration, global payload manipulation, system profiling, and even self-removal when a kill switch is triggered.
"CVE-2025-31324 was leveraged in this instance to launch a second-stage attack," Darktrace stated. "From initial intrusion to the failed establishment of C2 communication, the Auto-Color malware showed a clear understanding of Linux internals and demonstrated calculated restraint designed to minimize exposure and reduce the risk of detection." This level of sophistication underscores the ongoing threat posed by sophisticated malware like Auto-Color.
The incident highlights the importance of timely patching and the need for robust cybersecurity measures in protecting against increasingly sophisticated attacks. Despite SAP's efforts to address this vulnerability, the successful exploitation of CVE-2025-31324 demonstrates that threat actors are always on the lookout for potential vulnerabilities to exploit.
As organizations continue to grapple with the evolving threat landscape, it is essential to stay vigilant and implement effective cybersecurity measures to mitigate such risks. This includes ensuring that all software applications, including SAP NetWeaver, receive regular updates and patches, as well as conducting thorough risk assessments to identify potential vulnerabilities.
In conclusion, the Auto-Color malware incident serves as a stark reminder of the ongoing threat posed by sophisticated attacks and the importance of maintaining robust cybersecurity measures. By staying informed about emerging threats and implementing effective countermeasures, organizations can significantly reduce their risk exposure and protect against the latest exploits like CVE-2025-31324.
Related Information:
https://www.ethicalhackingnews.com/articles/Exploiting-SAP-Vulnerabilities-The-Auto-Color-Malware-Threat-ehn.shtml
https://thehackernews.com/2025/07/hackers-exploit-sap-vulnerability-to.html
Published: Wed Jul 30 03:27:40 2025 by llama3.2 3B Q4_K_M
