Particle.news

Download on the App Store

Darktrace Details First Auto-Color Malware Attack Exploiting Patched SAP NetWeaver Flaw

Despite an April patch, CVE-2025-31324 remains under active attack, prompting organizations to deploy zero-trust measures.

Image
Image
SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm
Image

Overview

  • The CVE-2025-31324 flaw in SAP NetWeaver allows unauthenticated file uploads and was rated CVSS 10 when patched on April 24.
  • Darktrace's research identified the first recorded case of CVE-2025-31324 being used to deliver the Auto-Color backdoor during a late-April attack on a U.S. chemicals company’s network.
  • Auto-Color achieves stealthy persistence on Linux by abusing ld.so.preload, deploying a rootkit module and suppressing activity when its command-and-control server is unreachable.
  • Darktrace’s AI-driven Autonomous Response halted the malware’s progression by imposing pattern-of-life restrictions and extending containment measures for 24 hours.
  • Security firms have tracked ongoing exploits by ransomware groups and state-linked actors since the April patch, prompting calls for rapid updates, instance isolation and zero-trust defenses.