A critical zero-day vulnerability in SAP NetWeaver, CVE-2025-31324, is being exploited to deliver “Auto-Color,” a stealthy Linux backdoor. The vulnerability allows for unauthenticated remote code execution (RCE), enabling attackers to achieve full system compromise. Multiple threat actors, including state-sponsored groups and ransomware operators, have weaponized this flaw to deploy malware, establish persistent access, and steal data. Immediate patching and proactive threat hunting are essential for all organizations using affected SAP products.
Background on SAP NetWeaver
SAP NetWeaver is a foundational application server for many SAP business applications. It can be deployed on-premise or in the cloud and runs on Windows and Linux servers. Due to its critical role in processing and storing sensitive enterprise data, it is a high-value target for cyber attackers. The specific component affected by this vulnerability is the Visual Composer, which, although not installed by default, is present in a significant percentage of SAP Java systems.
Vulnerability Details
- CVE-ID: CVE-2025-31324.
- CVSS Score: 10.0 (Critical).
- Vulnerability Type: A Missing Authorization Check leads to Unrestricted File Upload (CWE-434), which allows unauthenticated remote code execution (RCE).
- Affected Component: SAP NetWeaver Visual Composer Framework 7.50. All NetWeaver 7.50 versions are considered vulnerable.
- Affected Endpoint:
/developmentserver/metadatauploader.
Infection Method
The attack leverages the vulnerability in a multi-step process:
- Initial Access: Attackers scan the internet for publicly exposed SAP NetWeaver systems.
- Exploitation: A specially crafted HTTP POST request is sent to the vulnerable
/developmentserver/metadatauploaderendpoint. Due to the missing authorization check, the server accepts the request from the unauthenticated attacker. - Web Shell Upload: The attacker uploads a malicious file, typically a web shell such as
helper.jsporcache.jsp, to the server’s file system. - Malware Execution: The attacker accesses the web shell through a browser to execute commands on the compromised server. This is often used to download and run a more sophisticated payload, such as the Auto-Color backdoor.
- Persistence: The malware establishes long-term access on the device, often by manipulating system files or creating scheduled tasks.
Malware Behavior and Capabilities (“Auto-Color”)
First observed in late 2024, Auto-Color is a Remote Access Trojan (RAT) specifically targeting Linux systems. It is named for its behavior of renaming itself to /var/log/cross/auto-color to masquerade as a log file. Its advanced features indicate a focus on stealth and espionage:
- Evasive Persistence: Uses the
ld.so.preloadfeature to inject its malicious library before any others, allowing it to hook system functions and remain hidden. - Privilege-Aware Execution: The malware adapts its behavior based on the privilege level it is running under.
- Command and Control (C2) Suppression: If the malware cannot connect to its hardcoded C2 server, it enters a dormant state, suppressing most malicious activity. This tactic helps it evade detection in sandboxed or air-gapped analysis environments.
- Reverse Shell: Provides the attacker with full remote access and the ability to execute arbitrary commands.
- Rootkit Functionality: Includes a module designed to hide its malicious processes and files from security tools.
- Proxy Tunneling: Can forward traffic through the compromised device, enabling stealthy movement within the internal network.
Techniques and Tactics Include
| TTP ID | Technique Name | Description |
|---|---|---|
| T1190 | Exploit Public-Facing Application | The deployed web shell executes shell commands to download and run the main malware payload. |
| T1059.004 | Command and Scripting Interpreter: Unix Shell | The malware binary renames itself “auto-color” and places itself in a directory path mimicking system logs to blend in. |
| T1547.006 | Boot or Logon Autostart Execution: ld.so.preload | The Auto-Color malware modifies /etc/ld.so.preload to ensure it is loaded by the dynamic linker, establishing persistence. |
| T1036 | Masquerading | The deployed web shell executes shell commands to download and run the primary malware payload. |
| T1071 | Application Layer Protocol | The malware uses standard protocols like TLS over port 443 for its command and control communications to evade detection. |
| T1571 | Non-Standard Port | In some observed attacks, C2 communication has been noted over non-standard ports. |
| T1001 | Data Obfuscation | C2 configurations within the malware are often statically compiled and encrypted to hinder analysis. |
Indicators of Compromise (IOCs)
- IPs:
47.97.42[.]177
- SHA256 File Hash:
270fc72074c697ba5921f7b61a6128b968ca6ccbf8906645e796cfc3072d4c43(Auto-Color sample)
- Malicious File Paths/Names:
- Suspicious
.jsp,.class, or.javafiles in/irj/root/,/irj/work/, or/irj/work/sync/ cache.jsp,helper.jsp,cmd.jsp/var/log/cross/auto-color/etc/ld.so.preload(check for unauthorized modifications)
- Suspicious
Threat Actor Attribution
Exploiting CVE-2025-31324 has attracted a diverse range of threat actors, from opportunistic cybercriminals to sophisticated state-sponsored groups. While initial exploitation may have been widespread, intelligence indicates that several organized groups now leverage this vulnerability for targeted campaigns.
Confirmed and suspected threat actors include:
- BianLian Ransomware Group: A financially motivated ransomware-as-a-service (RaaS) operator known for data extortion. They have been observed using this vulnerability as an initial access vector to deploy their ransomware payload.
- RansomEXX Group is another prominent ransomware gang that has integrated the exploit into its attack chain to compromise enterprise networks and exfiltrate data before encryption.
- Chaya_004 Group: A suspected China-linked state-sponsored group. This actor has been seen deploying custom malware, including a Golang-based reverse shell called SuperShell, suggesting a focus on long-term espionage and intelligence gathering.
- Earth Lamia Group: This group, also believed to be state-affiliated, is leveraging the vulnerability to establish persistent access using advanced backdoors like Auto-Color and post-exploitation frameworks such as Cobalt Strike and Brute Ratel C4 for broader campaigns.
The involvement of both financially motivated ransomware gangs and nation-state actors highlights the critical nature of this vulnerability. It serves as a direct path to deploying ransomware and a strategic foothold for persistent, stealthy espionage operations.
Impact
Successful exploitation of this vulnerability has severe consequences, including:
- Complete System Takeover: Attackers gain full remote control of the SAP server, with permission from the SAP service account.
- Enterprise-Wide Compromise: The compromised SAP server can be a beachhead for lateral movement into the wider corporate network.
- Data Exfiltration: Sensitive business, financial, and customer data stored and processed by SAP systems can be stolen.
- Ransomware Deployment: The vulnerability is used as an entry vector to deploy ransomware across corporate networks.
Mitigation Steps
- Patch Firmware: Immediately apply the security patches released by SAP to address CVE-2025-31324. Support packages SP027 – SP033 have been released for NetWeaver 7.50 and above.
- Isolate Devices: Remove vulnerable SAP systems from public-facing interfaces if patching is not immediately possible.
- Harden Endpoint: As a workaround, block access to the
/developmentserver/metadatauploaderendpoint and consider disabling the Visual Composer component if it is not in use. - Threat Hunting:
- Scan for the IOCs listed above, including suspicious
.jspfiles in known exploit paths and modifications to/etc/ld.so.preload. Onapsis and Mandiant have released an open-source tool to help identify signs of compromise. - Monitor for anomalous outbound network connections, especially to unknown IP addresses or those listed in the IOCs.
- Review HTTP access logs for requests to the vulnerable endpoint.
- Scan for the IOCs listed above, including suspicious
- Deploy EDR/WAF: Use Endpoint Detection and Response (EDR) and Web Application Firewall (WAF) solutions to gain visibility into system behavior and block malicious requests and processes.
Instantly Fix Risks with Saner Patch Management
Saner Patch Management is a continuous, automated, and integrated software solution designed to proactively address vulnerabilities and instantly fix risks exploited in the wild. The software supports major operating systems like Windows, Linux, macOS, and over 550 third-party applications.
It also facilitates setting up a secure testing environment to validate patches before their broad deployment in a primary production environment. Additionally, Saner Patch Management includes a patch rollback feature, offering a safety net in case of patch failure or system malfunction.
Experience the fastest and most accurate patching software here.
