Security researchers have uncovered an advanced cyberattack campaign leveraging a critical vulnerability in SAP NetWeaver (CVE-2025-31324) to deploy a stealthy Linux backdoor known as Auto-Color. The exploited vulnerability, disclosed by SAP on April 24, 2025, is found in the Visual Composer component of SAP NetWeaver. It permits unauthenticated remote file uploads, potentially allowing threat actors to achieve complete system compromise on vulnerable servers.
The attack chain begins with hackers abusing the /developmentserver/metadatauploader endpoint, leveraging CVE-2025-31324 to upload malicious ZIP files. These archives contain both helper scripts and ELF-format (Linux executable) payloads. Once deployed, the Auto-Color malware operates with adaptive techniques determined by its privilege level on the compromised system.
Technical Analysis: Auto-Color Malware
Upon execution, Auto-Color immediately checks its runtime privileges:
- Root Privileges: The malware establishes highly resilient persistence by adding a disguised shared object library (
libcext.so.2) to the Linuxld.so.preloadfile. This enables it to hijack key system functions without altering legitimate binaries. - To evade detection, Auto-Color camouflage itself by renaming its presence to mimic legitimate log files within directories like
/var/log/cross/auto-color. - Command-and-Control: The backdoor communicates with hardcoded command-and-control (C2) servers over encrypted TLS channels. In the absence of C2 connectivity, Auto-Color suppresses most of its malicious activity, remaining dormant and making detection by sandbox analysis more challenging.
- Capabilities: Auto-Color features a modular architecture, supporting remote shell access, arbitrary file execution, proxy setup, dynamic payload updates, and even a built-in “kill switch” for self-removal at the operator’s command.
Impact and Attribution
The vulnerability poses particular risk to organizations running unpatched SAP NetWeaver servers, especially those within manufacturing and critical infrastructure sectors. Reports suggest both ransomware groups and suspected state-affiliated threat actors from China have exploited this flaw since at least March 2025.
Why This Attack Matters
This incident marks the first documented deployment of an advanced Linux backdoor via CVE-2025-31324 in the wild. The attackers’ use of multi-stage techniques — from initial web shell installation to complex persistence strategies — demonstrates the increasing sophistication and persistence of threats targeting enterprise application stacks. Notably, techniques such as preload injection, privilege-aware operations, and log directory masquerading make Auto-Color exceptionally difficult to detect and remove.
Recommended Mitigation Steps
- Organizations utilizing SAP NetWeaver should immediately apply SAP’s official security patches or mitigation guidance published in April 2025.
- Security operations teams must heighten monitoring for unusual ZIP or ELF file downloads, suspicious network traffic to known C2 infrastructure, and unauthorized changes to
ld.so.preloador core log directories. - Collaboration between SAP application teams and cybersecurity personnel is essential, as SAP specialists may lack experience with Linux-targeted malware incidents.
