- A critical flaw in SAP Netweaver is still abused, months after the fix
- Researchers saw it use to deploy an automatic color
- This stolen door remains dormant when it is not used
Vulnerability in SAP Netweaver is used to deploy Linux malware capable of executing arbitrary system orders and deploying additional useful charges, experts warned.
The security researchers of the 42 unit 42 of Palo Alto Networks discovered a malicious part called Auto-Color, a Linux stolen door, nicknamed for its ability to rename themselves after installation.
The researchers found that he was able to open inverted shells, execute arbitrary system commands, act as a proxy, download and modify files, as well as adjust the parameters dynamically. It has also been discovered that the stolen door remains mainly dormant if its C2 server is inaccessible, effectively elected detection by remaining inactive until the operator’s instructions arrive.
Salt typhoon
However, the researchers have not been able to determine the vector of initial infection – how malicious software has reached the target ending points have remained a mystery – so far.
Responding to an incident in April 2025, Cybersecurity Experts in DarkTrace studied an automatic infection on a chemical company based in the United States. They were able to determine that the initial infection vector was a critical vulnerability in SAP Netweaver, a developed technological platform which serves as a technical basis for many SAP applications.
The vulnerability was found in the visual metadata download element of the platform, which was not protected by an appropriate authorization. Consequently, non -authenticated agents were authorized to download potentially malicious executable binaries that could make serious damage. It is followed as CVE-2025-31324 and received a gravity score of 9.8 / 10-Critique.
SAP solved the problem at the end of April 2025, but at the time, several security companies already saw attacks in the wild. Reliaquet, onapsis, Watchtowr, mandiant, all reported observers threatening actors taking advantage of this flaw, and among which – Chinese groups sponsored by the State.
Given the destructive potential of the fault and the fact that a patch has been available for months now, Linux administrators are advised to apply it without hesitation and to mitigate potential threats.
Via Bleeping Compompute
