You are currently viewing Auto-Color Backdoor Weaponizes SAP Flaw for Stealthy Access

Auto-Color Backdoor Weaponizes SAP Flaw for Stealthy Access

  • Post author:
  • Reading time:6 mins read

A critical zero-day vulnerability in SAP NetWeaver, CVE-2025-31324, is being exploited to deliver “Auto-Color,” a stealthy Linux backdoor. The vulnerability allows for unauthenticated remote code execution (RCE), enabling attackers to achieve full system compromise. Multiple threat actors, including state-sponsored groups and ransomware operators, have weaponized this flaw to deploy malware, establish persistent access, and steal data. Immediate patching and proactive threat hunting are essential for all organizations using affected SAP products.

Background on SAP NetWeaver

SAP NetWeaver is a foundational application server for many SAP business applications. It can be deployed on-premise or in the cloud and runs on Windows and Linux servers. Due to its critical role in processing and storing sensitive enterprise data, it is a high-value target for cyber attackers. The specific component affected by this vulnerability is the Visual Composer, which, although not installed by default, is present in a significant percentage of SAP Java systems.

Vulnerability Details

  • CVE-ID: CVE-2025-31324.
  • CVSS Score: 10.0 (Critical).
  • Vulnerability Type: A Missing Authorization Check leads to Unrestricted File Upload (CWE-434), which allows unauthenticated remote code execution (RCE).
  • Affected Component: SAP NetWeaver Visual Composer Framework 7.50. All NetWeaver 7.50 versions are considered vulnerable.
  • Affected Endpoint: /developmentserver/metadatauploader.

Infection Method

The attack leverages the vulnerability in a multi-step process:

  1. Initial Access: Attackers scan the internet for publicly exposed SAP NetWeaver systems.
  2. Exploitation: A specially crafted HTTP POST request is sent to the vulnerable /developmentserver/metadatauploader endpoint. Due to the missing authorization check, the server accepts the request from the unauthenticated attacker.
  3. Web Shell Upload: The attacker uploads a malicious file, typically a web shell such as helper.jsp or cache.jsp, to the server’s file system.
  4. Malware Execution: The attacker accesses the web shell through a browser to execute commands on the compromised server. This is often used to download and run a more sophisticated payload, such as the Auto-Color backdoor.
  5. Persistence: The malware establishes long-term access on the device, often by manipulating system files or creating scheduled tasks.

Malware Behavior and Capabilities (“Auto-Color”)

First observed in late 2024, Auto-Color is a Remote Access Trojan (RAT) specifically targeting Linux systems. It is named for its behavior of renaming itself to /var/log/cross/auto-color to masquerade as a log file. Its advanced features indicate a focus on stealth and espionage:

  • Evasive Persistence: Uses the ld.so.preload feature to inject its malicious library before any others, allowing it to hook system functions and remain hidden.
  • Privilege-Aware Execution: The malware adapts its behavior based on the privilege level it is running under.
  • Command and Control (C2) Suppression: If the malware cannot connect to its hardcoded C2 server, it enters a dormant state, suppressing most malicious activity. This tactic helps it evade detection in sandboxed or air-gapped analysis environments.
  • Reverse Shell: Provides the attacker with full remote access and the ability to execute arbitrary commands.
  • Rootkit Functionality: Includes a module designed to hide its malicious processes and files from security tools.
  • Proxy Tunneling: Can forward traffic through the compromised device, enabling stealthy movement within the internal network.

Techniques and Tactics Include

TTP IDTechnique NameDescription
T1190Exploit Public-Facing ApplicationThe deployed web shell executes shell commands to download and run the main malware payload.
T1059.004Command and Scripting Interpreter: Unix ShellThe malware binary renames itself “auto-color” and places itself in a directory path mimicking system logs to blend in.
T1547.006Boot or Logon Autostart Execution: ld.so.preloadThe Auto-Color malware modifies /etc/ld.so.preload to ensure it is loaded by the dynamic linker, establishing persistence.
T1036MasqueradingThe deployed web shell executes shell commands to download and run the primary malware payload.
T1071Application Layer ProtocolThe malware uses standard protocols like TLS over port 443 for its command and control communications to evade detection.
T1571Non-Standard PortIn some observed attacks, C2 communication has been noted over non-standard ports.
T1001Data ObfuscationC2 configurations within the malware are often statically compiled and encrypted to hinder analysis.

Indicators of Compromise (IOCs)

  • IPs:
    • 47.97.42[.]177
  • SHA256 File Hash:
    • 270fc72074c697ba5921f7b61a6128b968ca6ccbf8906645e796cfc3072d4c43 (Auto-Color sample)
  • Malicious File Paths/Names:
    • Suspicious .jsp, .class, or .java files in /irj/root/, /irj/work/, or /irj/work/sync/
    • cache.jsp, helper.jsp, cmd.jsp
    • /var/log/cross/auto-color
    • /etc/ld.so.preload (check for unauthorized modifications)

Threat Actor Attribution

Exploiting CVE-2025-31324 has attracted a diverse range of threat actors, from opportunistic cybercriminals to sophisticated state-sponsored groups. While initial exploitation may have been widespread, intelligence indicates that several organized groups now leverage this vulnerability for targeted campaigns.

Confirmed and suspected threat actors include:

  • BianLian Ransomware Group: A financially motivated ransomware-as-a-service (RaaS) operator known for data extortion. They have been observed using this vulnerability as an initial access vector to deploy their ransomware payload.
  • RansomEXX Group is another prominent ransomware gang that has integrated the exploit into its attack chain to compromise enterprise networks and exfiltrate data before encryption.
  • Chaya_004 Group: A suspected China-linked state-sponsored group. This actor has been seen deploying custom malware, including a Golang-based reverse shell called SuperShell, suggesting a focus on long-term espionage and intelligence gathering.
  • Earth Lamia Group: This group, also believed to be state-affiliated, is leveraging the vulnerability to establish persistent access using advanced backdoors like Auto-Color and post-exploitation frameworks such as Cobalt Strike and Brute Ratel C4 for broader campaigns.

The involvement of both financially motivated ransomware gangs and nation-state actors highlights the critical nature of this vulnerability. It serves as a direct path to deploying ransomware and a strategic foothold for persistent, stealthy espionage operations.

Impact

Successful exploitation of this vulnerability has severe consequences, including:

  • Complete System Takeover: Attackers gain full remote control of the SAP server, with permission from the SAP service account.
  • Enterprise-Wide Compromise: The compromised SAP server can be a beachhead for lateral movement into the wider corporate network.
  • Data Exfiltration: Sensitive business, financial, and customer data stored and processed by SAP systems can be stolen.
  • Ransomware Deployment: The vulnerability is used as an entry vector to deploy ransomware across corporate networks.

Mitigation Steps

  1. Patch Firmware: Immediately apply the security patches released by SAP to address CVE-2025-31324. Support packages SP027 – SP033 have been released for NetWeaver 7.50 and above.
  2. Isolate Devices: Remove vulnerable SAP systems from public-facing interfaces if patching is not immediately possible.
  3. Harden Endpoint: As a workaround, block access to the /developmentserver/metadatauploader endpoint and consider disabling the Visual Composer component if it is not in use.
  4. Threat Hunting:
    • Scan for the IOCs listed above, including suspicious .jsp files in known exploit paths and modifications to /etc/ld.so.preload. Onapsis and Mandiant have released an open-source tool to help identify signs of compromise.
    • Monitor for anomalous outbound network connections, especially to unknown IP addresses or those listed in the IOCs.
    • Review HTTP access logs for requests to the vulnerable endpoint.
  5. Deploy EDR/WAF: Use Endpoint Detection and Response (EDR) and Web Application Firewall (WAF) solutions to gain visibility into system behavior and block malicious requests and processes.

Instantly Fix Risks with Saner Patch Management

Saner Patch Management is a continuous, automated, and integrated software solution designed to proactively address vulnerabilities and instantly fix risks exploited in the wild. The software supports major operating systems like Windows, Linux, macOS, and over 550 third-party applications.

It also facilitates setting up a secure testing environment to validate patches before their broad deployment in a primary production environment. Additionally, Saner Patch Management includes a patch rollback feature, offering a safety net in case of patch failure or system malfunction.

Experience the fastest and most accurate patching software here.