In a significant cybersecurity incident, hackers have exploited a critical vulnerability in SAP NetWeaver to deploy the Auto-Color backdoor in an attack targeting a U.S.-based chemicals company in April 2025. The vulnerability, identified as CVE-2025-31324, is a severe unauthenticated file upload flaw that allows remote code execution (RCE). SAP confirmed this flaw was patched in April 2025, shortly after the attack was executed.
According to a report by Darktrace, which monitored the incident, the threat actor gained access to the customer’s network over three days. During this time, the hacker attempted to download several suspicious files and communicated with infrastructure linked to the Auto-Color malware. The incident underscores the persistent threats faced by organizations relying on vulnerable software platforms.
Auto-Color, a malware discovered earlier in the year by Palo Alto Networks Unit 42, operates similarly to a remote access trojan, granting malicious actors remote access to compromised Linux systems. This malware has previously been linked to attacks on universities and government organizations across North America and Asia during late 2024.
The capabilities of the Auto-Color malware include features such as reverse shell access, file creation and execution, system proxy configuration, and global payload manipulation. It also demonstrates a sophisticated evasion technique, hiding its malicious activity when failing to connect to its command-and-control server, thereby reducing the chances of detection. The incident highlights an evolving threat landscape where threat actors are increasingly using advanced techniques to minimize exposure.