Hackers have exploited a critical vulnerability in SAP NetWeaver, a widely used enterprise software platform, to deploy a sophisticated backdoor malware known as Auto-Color. The vulnerability, identified as CVE-2025-31324, has affected multiple organizations, with one U.S. chemicals company, still not publicly identified, being specifically targeted.
CVE-2025-31324 Explainer
The vulnerability at the center of this attack, CVE-2025-31324, resides within the Visual Composer component of SAP NetWeaver. This flaw allows unauthenticated remote code execution, meaning attackers can infiltrate systems without needing valid login credentials. Once exploited, the flaw allows attackers to introduce malicious code into the environment.
Hackers have taken advantage of this weakness to deploy Auto-Color, a Remote Access Trojan (RAT) targeting Linux systems. The malware’s primary function is to grant attackers persistent access to compromised systems, allowing them to steal sensitive data, manipulate operations, and escalate their privileges. The attack has been particularly damaging for organizations using SAP NetWeaver for critical business functions, including supply chain management and enterprise resource planning (ERP).
Exploitation of SAP NetWeaver Vulnerability
The breach targeted multiple organizations, but the attack on the U.S. chemicals company is the most widely reported. After exploiting the CVE-2025-31324 vulnerability, the attackers gained unauthorized access to the company’s SAP NetWeaver platform. From there, they were able to deploy the Auto-Color malware across the organization’s Linux systems. SAP NetWeaver is a critical tool for managing a variety of business functions, including supply chain logistics, accounting, and human resources. Because of this, any disruption in its operations—such as the deployment of malware—can have severe consequences for a company’s ability to function and maintain compliance.
The rapid spread of Auto-Color once deployed speaks to the sophistication of modern cyberattacks, where attackers are often able to exploit vulnerabilities before they can be patched. In this case, the attackers were able to deploy the malware, establish control, and begin extracting sensitive data within a matter of hours.
SAP Has a Patch
Upon identifying the vulnerability, SAP moved quickly to release a patch to address CVE-2025-31324. The patch effectively closed the exploit, preventing further instances of the vulnerability from being exploited in the wild. However, the damage had already been done for the affected organizations that had failed to apply the patch in time. This delay in patch management is a common vulnerability across many organizations and underscores the importance of a well-established patching policy.
Although the patch mitigates the risk moving forward, organizations that were slow to adopt the update have likely suffered data loss or operational disruptions. This incident emphasizes the need for robust patch management practices in businesses that rely on critical software infrastructure like SAP.
