SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm

Darktrace uncovers the first exploit of a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color backdoor malware. Learn how this evasive Linux RAT targets systems for remote code execution and how AI-powered defence thwarts multi-stage attacks.

Darktrace, a leading cybersecurity research firm, has identified what is believed to be the first documented instance of threat actors exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy the evasive Auto-Color backdoor malware.

This flaw, disclosed by SAP SE on April 24, 2025 and assigned a CVSS score of 10, is particularly dangerous as it enables attackers to upload malicious files to the SAP NetWeaver application server, potentially leading to remote code execution and full system compromise.

About Auto-Color

The Auto-Color Backdoor, first seen in November 2024 and previously observed targeting systems in the US and Asia, is a Remote Access Trojan (RAT) named for its ability to rename itself to “/var/log ...