- It is still abusing a critical defect in Sap Netweaver, months after patching
- The researchers saw it used to implement automatic color
- This rear door remains latent when it is not in use
Vulnerability in SAP Netweaver is being exploited to implement Linux malware capable of executing arbitrary commands of the system and implementing additional useful loads, experts warned.
Unit 42 security researchers from Palo Alto Networks discovered a piece of malware called Auto-Color, a Linux back door, called for their ability to change their name after installation.
The researchers discovered that it was able to open reverse shells, execute arbitrary system commands, acting as a proxy, loading and modifying files, as well as adjusting the configuration dynamically. It was also discovered that the rear door remains mainly inactive if its C2 server is not possible, effectively evades the detection when remaining inactive until the operator’s instructions arrive.
Salt typhoon
However, researchers could not determine the initial infection vector, how malware reached the final points of destination remained a mystery, until now.
In response to an incident in April 2025, Darktrace cybersecurity experts investigated an automatic color infection in a chemical company based in the United States. They were able to determine that the initial infection vector was a critical vulnerability in SAP Netweaver, a developed technological platform that serves as a technical basis for many SAP applications.
The vulnerability was found in the metadata charger element of the visual composer of the platform, which was not protected with adequate authorization. As a result, non -authenticated agents were allowed to raise potentially malicious executable binary that could cause serious damage. They are traced as CVE-2025-31324, and it was given a gravity score of 9.8/10, critic.
SAP solved the problem at the end of April 2025, but at that time, multiple security firms were already seeing attacks in nature. Reliakest, Ossis, Watchtowr, Mandiant, all reported that they observed the actors of threats that take advantage of this defect, and among them, also groups sponsored by the Chinese state.
Given the destructive potential of the failure, and the fact that there is an available patch for months, Linux administrators are advised to apply it without hesitation and mitigate possible threats.
Through Bleepingcomputer
