- A critical error in SAP Netweaver is still abused, months after the patch
- Scientists saw it used to implement auto-color
- This back door remains dormant when not in use
A vulnerability in SAP Netweaver is utilized to implement Linux Malware capable of running arbitrary system commands and implementing further payload, experts have warned.
Security researchers from Palo Alto Networks’ Unit 42 discovered a piece of malware called Auto-Color, a Linux rear door, called its ability to rename themselves after installation.
The researchers found that it was able to open reverse shells, perform arbitrary system commands, act as a proxy, upload and change files and adjust settings dynamically. It was also discovered that the back door mostly remains dormant if its C2 server cannot be reached, which effectively avoids detection by remaining inactive until the operator instructions arrive.
Salt Typhon
However, the researchers were unable to determine the initial infection vector – how malware came to the scoring points remained a mystery – so far.
In response to an incident in April 2025, cybersecurity experts from Darktrace examined an auto-colored infection of an American-based chemical company. They were able to determine that the initial infection vector was a critical vulnerability in SAP Netweaver, a technology platform developed that acts as the technical foundation of many SAP applications.
The vulnerability was found in the platform’s visual composer metadata uploader element, which was not protected with a proper permit. As a result, non -authorized agents were allowed to upload potentially malicious executable binary files that could do serious damage. It is traced as CVE-2025-31324 and got a severity of 9.8/10-critical.
SAP solved the question at the end of April 2025, but at that time several security companies were already attacking in the wild. Reliable, onapsis, Watchtowr, Mandiant, also reported to observe threat actors who exploited this mistake, and among them – Chinese state -sponsored groups.
Given the destructive potential of the errors and the fact that a patch is available for months now, Linux administrators are advised to use it without hesitation and mitigate potential threats.
Via Bleeping computer
