Overview
- The CVE-2025-31324 flaw in SAP NetWeaver allows unauthenticated file uploads and was rated CVSS 10 when patched on April 24.
- Darktrace's research identified the first recorded case of CVE-2025-31324 being used to deliver the Auto-Color backdoor during a late-April attack on a U.S. chemicals company’s network.
- Auto-Color achieves stealthy persistence on Linux by abusing ld.so.preload, deploying a rootkit module and suppressing activity when its command-and-control server is unreachable.
- Darktrace’s AI-driven Autonomous Response halted the malware’s progression by imposing pattern-of-life restrictions and extending containment measures for 24 hours.
- Security firms have tracked ongoing exploits by ransomware groups and state-linked actors since the April patch, prompting calls for rapid updates, instance isolation and zero-trust defenses.