Overview

• Darktrace identified and documented the first real-world exploit of CVE-2025-31324 in April, which delivered the Auto-Color backdoor to a US chemicals company.
• The flaw, disclosed by SAP in April with a CVSS score of 10, enables unauthenticated file uploads that can lead to remote code execution and full system compromise.
• Auto-Color targets Linux servers by leveraging ld.so.preload for stealthy persistence, renaming itself to “/var/log/cross/auto-color” and suppressing activity if its command-and-control channel fails.
• Darktrace’s Autonomous Response used machine learning to enforce a 30-minute “pattern of life” on the compromised device, containing malicious actions without disrupting normal operations.
• Security experts urge organisations to install SAP’s patch immediately or isolate vulnerable NetWeaver instances and deploy zero-trust network controls.